W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [blink-dev] Proposal: Prefer secure origins for powerful new web platform features

From: Peter Kasting <pkasting@google.com>
Date: Fri, 27 Jun 2014 17:46:43 -0700
Message-ID: <CAAHOzFC8qJoSPy0zaUV2--iwqte3hH4NuWZc1CwN6AF+2sss9Q@mail.gmail.com>
To: Ryan Sleevi <rsleevi@chromium.org>
Cc: blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>
On Fri, Jun 27, 2014 at 5:35 PM, Ryan Sleevi <rsleevi@chromium.org> wrote:

> On Jun 27, 2014 5:02 PM, "'Peter Kasting' via Security-dev" <
> security-dev@chromium.org> wrote:
> > On Fri, Jun 27, 2014 at 3:55 PM, 'Chris Palmer' via blink-dev <
> blink-dev@chromium.org> wrote:
> >> "Particularly powerful" would mean ... generally any feature that
> >>
> >> we would provide a user-settable permission or privilege to.
> >
> > I don't really understand this last clause.  Users of browsers can set
> many permissions, e.g. in Chrome the user can grant or deny sites the
> ability to use plugins, open popup windows, run Javascript, etc. I doubt
> you intended to suggest that a new feature with a similar scope to those
> should be restricted.
> There is, I think, a balance.
> The examples you gave are examples where we default positive (allow), but
> then allow the user to deny. In effect, all origins BUT X have access to a
> permission.
I don't know that I'm comfortable with that summary.  We allow users to
globally default-deny these permissions.  In the case of plugins in
particular, we have a click-to-play setting that many people use that
amounts to default-deny.  There are arguments one could make for a browser
shipping that setting by default (although I agree with Chrome's decision
not to do so in this case), but those arguments don't really have much
connection to the security of the feature, they're more about preventing
annoyances that are widespread on the web.  If we end up conflating things
like "feature is scoped to HTTPS" with "feature is occasionally annoying",
I think we've made a mistake.

> However, for permissions where the assumption is default-deny (or prompt),
> those are certainly in scope. That's because if you grant Origin X access,
> and X is an origin delivered over an insecure transport, you've granted it
> to all origins, in effect.
Again, I think the reason _why_ such a thing would be default-deny is an
important part of the answer here.  I can imagine features that I think
your argument makes sense for, as well as ones where it doesn't.
 Accordingly, I wouldn't use "default-deny" in my list of descriptions of
the rules governing this, I'd instead focus on the reasons why a particular
capability could e.g. leak private data or something.  Which Chris
basically did.  Which is why the trailing "...or anything else that has
permissions" clause seemed not only confusing but unnecessary.

> geolocation, audio, video all come to mind as modern deny features that
> would, ideally, have been restricted for the reasons listed - though that
> horse has long since left the barn.
Clarity: I assume you mean audio/video recording, not playback (which is an
example of a capability we shouldn't restrict).

Received on Saturday, 28 June 2014 00:47:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC