Re: [w3c/ServiceWorker] `CacheStorage` & `COEP:credentialless` (#1592) from Arthur Sonzogni on 2021-05-11 (public-webapps-github@w3.org from May 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Tue, 11 May 2021 06:49:19 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1592/838507694@github.com>

We now have some tentative tests (49 cases) for Document, SharedWorker, ServiceWorker, and DedicatedWorker:
https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cache-storage.tentative.https.html?label=experimental&label=master&aligned
_(Firefox already has 4 passing tests more than Chrome about `require-corp`. Great job! Those will be fixed very soon by plz-{DedicatedWorker, SharedWorker})_

----

I prototyped plumbing the `request`'s `includeCredentials` (from the HTTP fetch algorithm) into the stored `response`.
If during the `Cache.match algorithm`:
- The `response` is `opaque`.
- The `response`'s `requestIncludeCredentials` is true
- The client `embedder policy` is `credentialless`

Then, we have two options:
1. Return an error directly.
2. Run the `CORP check algorithm` with `require-corp` and return an error if it fails.

(1) is simpler and stricter.
(2) is more permissive. The response requested with credentials are allowed if they pass the CORP check.

I am not sure it really matter. CacheStorage is a per-origin API. I am expecting website to use a consistent COEP policy for the whole website & workers. I don't believe there will be a strong use case for using CacheStorage with different COEP policies. So I believe the strictest option (1) to be better. We can always make it more permissive later, if we feels this is useful.
Does that seems reasonable to you?

----

Note: Here are the expectations for both cases on the test `cache-storage.tentative.https.html`. The test makes a cross-origin, `no-cors`, `credentials: include` request from one context and try to retrieve it from another one with a different COEP policy.
| Test \ expectations                                 | (1)         | (2)         |
|-----------------------------------------------------|-------------|-------------|
| [document] unsafe-none => credentialless            | "error"     | "error"     |
| **[document] unsafe-none => credentialless + CORP.**    | "error"     | "retrieved" |
| [document] credentialless => credentialless. | "retrieved" | "retrieved" |
| [document] credentialless => credentialless + CORP. | "retrieved" | "retrieved" |
| **[document] require_corp => credentialless + CORP.**   | "error"     | "retrieved" |

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1592#issuecomment-838507694

Received on Tuesday, 11 May 2021 13:49:32 UTC