[whatwg/fetch] [Security] Declarative network permissions in parent scope for safe request default mode (#1209) from abflow on 2021-04-06 (public-webapps-github@w3.org from April 2021)

From: abflow <notifications@github.com>
Date: Tue, 06 Apr 2021 02:25:39 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1209@github.com>

### Context:

The default mode of a request is "_no-cors_", meaning that, by default, the fetch API is unsafe to use, as pointed out in the specification, and also it is available by default in `script` tags, so that a tampered script loaded from a remote third-party CDN can also gain full network access within the context of the document or application.

### Background: 
In (https://github.com/whatwg/html/issues/6553), was introduced a declarative way for web developers to easily reason about network permissions without having to deal with HTTP headers, via the `allow-net` attribute in insecure HTML tags. This declarative of defining network policies would be more in line with the HTML specification, while offering: 

- enhanced, fine-grained network permissions, 
- the possibility to gain network isolation for critical parts of the document/application (https://github.com/whatwg/html/issues/6547) 
- the possibility to define and even extend declarative cross-origin communication scenarios, by leveraging the Shared Worker technology (https://github.com/whatwg/html/issues/6555).

### Proposal: 

The Fetch API can be made safe by default by using declarative network permissions in the parent scope, via the `allow-net` attribute in insecure HTML tags.

### Example:

```html
<script allow-net="https://example.com">
/* Script has only access to https://example.com */

/* Following fetch will fail */
fetch('http://anothersite.com/data.json')
  .then(response => response.json())
  .then(data => console.log(data));

/* Following fetch will likely succeed */
fetch('http://example.com/data.json')
  .then(response => response.json())
  .then(data => console.log(data));

</script>

<script >
/* Script does not have network access */

/* Following fetch will fail */
fetch('http://example.com/data.json')
  .then(response => response.json())
  .then(data => console.log(data));

</script>
````

Those declarative permissions could be set at the level of the whole document in the `head` attribute, or in a fine-grained way within insecure HTML tags such as `iframe`, `portal`, `script`,  etc., that is, everywhere the Fetch API can be used.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1209

Received on Tuesday, 6 April 2021 09:25:52 UTC