- From: Jeffrey Yasskin <notifications@github.com>
- Date: Mon, 03 Aug 2020 19:35:32 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 4 August 2020 02:35:45 UTC
I think the warnings we'd display on an unsigned bundle would depend on the kind of attack we're worried about. I haven't talked to our security teams yet about this in particular, but I'd guess that the risk you're worried about here is that a bundle at https://attacker.example/attack.wbn contains a resource that claims to be from https://accounts.google.com/ and looks like the Google login screen. I think that's mitigated in the proposed system by: 1) De-emphasizing the claimed URL in the same way we de-emphasize the path or fragment in other URLs: https://github.com/WICG/webpackage/blob/master/explainers/bundle-urls-and-origins.md#rendering-the-url-bar 2) Teaching SafeBrowsing and similar systems to scan inside bundles in the same way they scan normal HTML files. If they notice hostile content, show the same interstitial they'd show for non-bundled hostile HTML pages. Is there a particular attack you think bundles make easier, which the above mitigations don't help enough with? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/509#issuecomment-668345540
Received on Tuesday, 4 August 2020 02:35:45 UTC