Re: [whatwg/fetch] COEP:credentialless and the HTTP cache. (#1253) from Arthur Sonzogni on 2021-08-03 (public-webapps-github@w3.org from August 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Tue, 03 Aug 2021 09:18:05 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1253/891981512@github.com>

> The fact that a site may get an older copy of the resource depending on the credential bit does seem confusing - maybe it would make more sense to just not use the cached resource if the `includeCredentials` bit doesn't match? 

Firefox and the spec behaved this way for many years, this might mean this isn't a big deal? It has stood the test of time.
Firefox implemented this 13 years ago. I believe all of this started from this patch approximately:
https://github.com/mozilla/gecko-dev/commit/bd5e92615c05bbfbdea200dc614ea104d48765e5

However, your suggestion looks like a good idea to try if the current specification causes developers confusion.
My preference would still be to align Chrome with the spec (+Firefox) first for interoperability, and later think about updating the spec and dropping entries with mismatching `includeCredentials` parameters if we can find an agreement about this here.

I think the real question is whether `COEP:credentialless` security model still hold despite intermediary caches. We can fix Chrome's cache by adopting the spec, website can fix their own cache. However it is not possible to control intermediary cache that neither Chrome or the website control.
We want to avoids `crossOriginIsolated` website from loading cross-origin private data without an explicit opt-in from the server `(CORS` or `CORP`).
- `CrossOriginIsolation` requires HTTPS, so the onlyintermediary caches that matter are the ones owning the website SSL private key. So a potential leak can only happens within website's control.
- If the intermediary cache leaks private data toward anonymous requests, then I would argue this already represent a security problem for the website, independently of `crossOriginIsolation`. If the intermediary cache keys responses using IP address, then the leak happens in between two users from the same local network, otherwise globally.

I think I convinced myself intermediary cache wasn't an issue, but it probably worth discussing it more deeply with the security team in case I am missing something.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1253#issuecomment-891981512

Received on Tuesday, 3 August 2021 16:18:17 UTC