- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 23 Jul 2014 19:04:17 -0700
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Mike West <mkwst@google.com>, public-webappsec@w3.org, Anne van Kesteren <annevankesteren@gmail.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
- Message-ID: <CAPfop_2tMV0YAsbnM85C3-_P1_b7srjoD3NE9NenEFtUhBJ5bw@mail.gmail.com>
Hi ServiceWorkers are ridiculously powerful and so I actually advocate for both: request headers and response headers. For request headers, how about a "CH-Context: ServiceWorker"? That makes more sense to me than "Service-Worker: script" and it also follows the client hint format. For response, since SW shouldn't wait on CSP2.1, how about a simple header that someone can send to disable all SWs registered on the domain? "ServiceWorker: None" or something like that? In an ideal world, we would insist on what Brian suggested---a different content type. An invariant on the web platform is that "text/html" (and its siblings) are the only content-types that grant code execution capabilities. ServiceWorker will add text/javascript to that list, which is giving new powers for existing files. Additionally, Jeffrey mentioned that path-based restrictions don't work. While this is mostly true, a lot of services rely on capability URLs and registering a SW will allow an attacker to learn about all the URL requests on that domain, which could leak capability values and allow for tracking. For example, controlling a js file and a html page or injection didn't let me track all urls the user will visit in the future (24hrs?). Not sure what the right trade off is. Given the previous lessons from AppCache that you mentioned, the request and response headers to grant control make sense to me. Although, I do wonder: is it really that hard to ask github to let devs set content type sometimes? cheers Dev On Tue, Jul 22, 2014 at 3:02 AM, Mike West <mkwst@google.com> wrote: > On Tue, Jul 22, 2014 at 1:12 AM, Jeffrey Yasskin <jyasskin@google.com> wrote: >> One way to do this would be to define a CSP directive that says in >> what contexts (http://fetch.spec.whatwg.org/#concept-request-context) >> the protected resource may be used. > > This is conceptually similar to 'frame-ancestors' in that it allows a > subresource to control the way it's used by an embedder. I haven't > thought through all the impacts, but it seems like something that's > pretty reasonable to consider. > > Are there cases beyond "Don't use this file as a service worker!" in > which this would be useful? I don't know of any offhand. It's also not obvious that the exact list of fetch contexts is the right set of keywords for this directive (or even that the fetch contexts have their final values). Another approach might be to add a new kind of directive-value where "context not-serviceworker not-image" would allow the resource to be used in any context except serviceworker and image. Then we could define only, say "any" and "not-serviceworker" or "not-child", and leave further use cases for the future. I'm not entirely happy with this option either. >> * Are CSPs the right way to do this? Issue 224 also discusses a >> "Service-Worker: script" header that could be sent with the service >> worker script request, which would be an alternate way to let servers >> handle XSS. > > Brian's Content-Type proposal makes more sense to me than a new HTTP > header entirely. I think it makes sense regardless of whether we adopt > a 'context' directive. It turns out that requiring a dedicated Content-Type isn't great: it requires that a host like github that already uses origins for isolation add explicit support for Service Workers before any of their users can use it. Apparently this was a big problem for appcache. A CSP directive or "Service-Worker: script" header instead requires hosts that use paths for isolation to change, and this as a security fix. It's not obvious to me that this is the right security/usability tradeoff, but it's plausible because paths don't work for isolation anyway. Also note that the "Service-Worker: script" header would be in the request, while the Content-Type header would be in the response, so they're not precisely comparable. IIUC, the main benefit of a request header over a response header (either CSP or Content-Type) is that the request header shows up in server logs before the XSS is even detected, while CSP reports only show up after the blocking CSP is added. >> * What CSP directive and values make sense for this? >> * Which spec should define this initially, CSP or Service Workers? > > It should end up in CSP if that's the route we decide to take, but > there's no harm in defining it in SW to begin with. Given that CSP2 > just hit LC, putting it into SW is almost certainly a faster way to > get it into an implementable state. SG.
Received on Thursday, 24 July 2014 02:04:44 UTC