Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875) from Daniel Murphy on 2024-09-04 (public-webapps-github@w3.org from September 2024)

From: Daniel Murphy <notifications@github.com>
Date: Wed, 04 Sep 2024 11:24:53 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/875/2329712416@github.com>

From a chat with @LuHuangMSFT and a member of our security team, here is a proposal they were comfortable with. Not sure if this is something you're still OK with @LuHuangMSFT:

There are three levels of security for this association:
1. None (not used)
2. The `.well-known/scope-extensions` file acknowledgement on the extended origin/site.
- If the origin/site doesn't have the manifest_id in that file, the association isn't created.
- This can be re-checked periodically, allowing removal of associations but sometimes delayed.
3. Both a `.well-known/scope-extensions` file acknowledgement on the extended origin/site AND a `ScopeExtensionAllowed: <manifest_id_list>` response headers coming from 'extended' sites or origins.
- If the user agent ever does not receive this header from the server, then it removes the association. (Recoverable through existing manifest update mechanism if this was a dev mistake).
- This allows a site/origin owner to **immediately** remove this association.

For `origin` type scope extensions, this requires level 2 security.
For `site` type scope extensions, this requires level 3 security.

Reasoning:
- None of these impede navigation / would affect performance.
- The information is always known at install-time.
- The `origin` case is more common for smaller developers & remains easy to do & set up - no need to muck with network neaders.
- The `site` case is more complex & requires a more complex system that is likely a larger organization anyways, so setting that up to always include the correct response header seems OK.
- The `App-Id` header seems not necessary - This only seems necessary if the site is expecting to have a very large list of apps extending to it, so it doesn't want to have a large network response. There have been no use-cases that we know about that require this or match this behavior. Also - this would be very hard to implement.
- If needed in a future, then this can still be added.

Note this is separate from the filtering discussions, just for security here. Filtering can be handled by the current proposals with the `.well-known/scope-extensions` file and manifest file.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-2329712416
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/2329712416@github.com>

Received on Wednesday, 4 September 2024 18:24:57 UTC