Re: [w3ctag/design-reviews] "credentialless" embedder policy. (#582) from arturjanc on 2021-02-08 (public-webapps-github@w3.org from February 2021)

From: arturjanc <notifications@github.com>
Date: Mon, 08 Feb 2021 02:15:58 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/582/775033736@github.com>

> What about `cors` requests, though? It doesn't seem like the server would have any expectation of risk around sending data to itself (and, as written, I think CORS requests would automatically pass, given the same-originness?). That seems like a potential for leakage that isn't well-explored, especially in the status quo world without OOPIF.

I think this may actually be simpler than you imply: An iframe loaded credentiallessly should load all of its resources credentiallessly. This applies to both same-origin resources (the requests shouldn't include cookies) and to cross-origin requests in `cors` mode: since they wouldn't carry credentials, they wouldn't leak any data as a result of being loaded by the iframe. (The external origin serving `cors` resources to the iframe may trust the origin of the iframe and allow these requests to be served even if it denies requests from other origins; but this still doesn't reveal any information because the requests are unauthenticated -- after all, an attacker could just fake the `Origin` header and send an identical request from their own device.)

In this approach, even _without OOPIFs_, it's hard for me to see any risk for the iframe because:
1. Resources loaded by the frame won't include authenticated data which could leak to the embedder.
2. Same-origin state available to the iframe (e.g. `localStorage`) would be limited to what is present in the current storage partition, so it wouldn't contain data set when the embedded origin is in a top-level context.

So, while I completely understand that pursuing credentiallessness only for subresources can be good tactically (it's a simpler problem), it's hard for me to see a compelling security reason to require a separate opt-in from iframes. Am I missing something? :)

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/582#issuecomment-775033736

Received on Monday, 8 February 2021 10:16:11 UTC