Re: Fetch, MSE, and MIX from Brad Hill on 2015-02-20 (public-webappsec@w3.org from February 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 20 Feb 2015 18:36:28 +0000
To: Aaron Colwell <acolwell@google.com>, Ryan Sleevi <sleevi@google.com>, whatwg@whatwg.org
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, public-html-media@w3.org
Message-ID: <CAEeYn8g2H=nWT8PSH6B8Bz6py9iMqYt_UiDz5H_HkTfVhdG+sw@mail.gmail.com>
I agree this sounds like a reasonable, incremental step, that is
technically sound, does not introduce new incentives against improving
security, and is consistent with other web platform work and direction.

-Brad Hill

On Fri Feb 20 2015 at 9:55:39 AM Aaron Colwell <acolwell@google.com> wrote:

> Hi Ryan,
>
> Thanks for writing this up. I know you already know this, but I wanted to
> publically declare my support as one of the MSE editors. While I wish we
> didn't need this, I can understand the concerns of content providers and I
> think this is a reasonable compromise.
>
> Aaron
>
> On Thu Feb 19 2015 at 9:06:17 PM Ryan Sleevi <sleevi@google.com> wrote:
>
>> Cross-posting, as this touches on the Fetch [1] spec, Media Source
>> Extensions [2], and Mixed Content [3]. This does cross-post WHATWG and
>> W3C, apologies if this is a mortal sin.
>>
>> TL;DR Proposal first:
>> - Amend MIX in [4] to add "fetch" as an optionally-blockable-request-
>> context
>>   * This means that fetch() can now return HTTP content from HTTPS
>> pages. The implications of this, however, are described below, if you
>> can handle reading it all.
>> - Amend MSE in [5] to introduce a new method, appendResponse(Response
>> response), which accepts a Response [6] class
>> - In MSE, define a Response Append Loop similar to the Stream Append
>> Loop [7], that calls the consume body algorithm [8] on the internal
>> response [9] of Response to yield an ArrayBuffer, then executes the
>> buffer append [10] algorithm on the SourceBuffer
>>
>>
>> MUCH longer justification why:
>> As it stands, <audio>/<video>/<source> tags today are optionally
>> blockable content, as noted in [4]. Thus, an HTTPS page may set the
>> source to HTTP content and load the content (although typically with
>> user-agent indication). MSE poses itself as a spec to offer much
>> greater control to site authors than <audio>/<video>, as noted in its
>> use cases, and as a result, has seen a rapid adoption among a number
>> of popular video streaming sites. Most notably, the ability to do
>> adaptive streaming with MSE helps provide a better quality, better
>> performing experience for users. Finally, in some user agents, MSE is
>> a pre-requisite for the use of Encrypted Media Extensions [11].
>>
>> However, there are limitations to using MSE that don't exist with
>> <video>/<audio>. The most notable of these is that in order to
>> implement the adaptive streaming capabilities, most sites make use of
>> XMLHttpRequest to request portions of media content, which can then be
>> supplied to the SourceBuffer. Based on the feedback that MSE provides
>> the script author, it can then adjust the XHRs they make to use a
>> lower bitrate media source, to drop segments, etc. When using XHR, the
>> site author loses the ability to mix HTTPS pages with HTTP media, as
>> XHR is (rightfully so) treated as blocked content.
>>
>> The justification for why XHR does this is that it returns the full
>> buffer to the page author. In practice, we saw many sites then taking
>> that buffer and making security decisions on it - whether it be
>> "clearly" bad things such as eval()ing the content to more subtle
>> things like adjusting UI or links. All of these undermine all of the
>> security guarantees that HTTPS tries to provide, and thus XHR is
>> blocked.
>>
>> The result is that if an HTTPS site wants to use MSE with XHR, all of
>> the content needs to be served via HTTPS. We've already seen some
>> providers complain that this is prohibitively expensive in their
>> current networks [12], although it may be solvable in time, as
>> demonstrated by other video sharing sites [13].
>>
>> In a choice between using MSE - which offers a better user experience
>> over <video>/<audio> by reducing bandwidth and improving quality - and
>> using HTTPS - which offers better privacy and security controls -
>> sites are likely to choose solutions that reduce their costs rather
>> than protect their users, a reasonable but unfortunate business
>> reality.
>>
>> I'm hoping to find a way to close that gap - to allow sites to use MSE
>> (and potentially EME) via HTTPS documents, while still sourcing their
>> media content via HTTP. This may seem counter-intuitive, and a step
>> back from the efforts of the Chrome security team, but I think it is
>> actually consistent with our goals and our past comments. In
>> particular, this solution tries to provide a means and incentive for
>> sites to adopt MSE (improving user experience) AND to begin migrating
>> to HTTPS; first with their main document, and then, in time, all of
>> their media content.
>>
>> This won't protect adversaries from knowing what content the user is
>> actively watching, for example, but will help protect other vital
>> assets - such as their cookies, session identifiers, user information,
>> friends list, past viewing history, etc.
>>
>> Allowing fetch() to return HTTP content sourced from HTTPS pages seems
>> like it would re-open the XHR hole, but this isn't the case. As
>> described in [14], all requests whose mode is CORS or
>> CORS-with-forced-preflight are force-failed. This only leaves the
>> request modes of "no-cors", "same-origin", "about"and "data". Because
>> the origins are different between the document (https) and the request
>> URL (http), the request mode will be "no-cors", and thus the returned
>> Response object will be set to "opaque".
>>
>> The "opaque" response prevents direct access to the Response data.
>> Similarly, the SourceBuffer object does not allow direct access to the
>> data - this is only passed on to the audio/video decoders, same as the
>> existing <audio>/<video>/<source> tags today. I realize this may
>> prevent access to the full capabilities of MSE; indeed, some use cases
>> require access to the content in order to do adaptive streaming.
>> However, there still seem a number of use cases where it can work, or
>> where existing solutions that do require direct access to content may
>> be adjusted, slightly, so that they don't.
>>
>> In discussing this, internally and with other vendors, the primary
>> security implication of this is that of privacy leakage. However, this
>> problem exists regardless of fetch(), due to the fact that script can
>> always inject any of the optionally-blockable content tags into the
>> page and leak information. That is, I can always disclose content by
>> using a <video> or <img> tag directly, and I can always smuggle back a
>> few bits of information at a time (for example, using the width/height
>> of the image to smuggle back 4-8 bytes at a time, or, even more
>> primitively, using onload/onerror to smuggle a bit at a time back)
>>
>> Further, I'm not proposing that there be any special UI handling for
>> these mixed-content fetch()'s - that is, they behave as the user agent
>> already does when encountering passive mixed content (e.g. some form
>> of UI warning/degradation). So performing these fetch()'s will NOT
>> yield positive security indicators. Of course, as proposals like [15]
>> mature, it may be far more desirable sites to have HTTPS with mixed
>> content compared to HTTP, thus making this proposal even more
>> attractive than the HTTP counterpart.
>>
>> Overall, the hope is to provide incentives for media sharing sites to
>> begin migrating to HTTPS, allowing them to keep the existing features
>> they have over HTTP (in this case, MSE), and potentially allowing for
>> a migration path that allows the staged deprecation of allowing more
>> powerful, privacy-sensitive features like EME [16] from being
>> available over HTTP, while not taking any steps backwards in terms of
>> privacy or security for fetch() or HTTPS pages.
>>
>> This is not meant to be a long-term solution for optionally-blockable
>> content. I absolutely think we should be working to wean sites off
>> this and move them away. However, in the trade-off between having
>> major sites using HTTP or having to prolong optionally-blockable
>> content for some additional, defined period of time, I absolutely
>> believe the latter is in the greater interest of web security, and
>> consistent  with the findings of the W3C's TAG.
>>
>> So, beyond telling me I wrote way too much, what do people think?
>>
>> [1] https://fetch.spec.whatwg.org/
>> [2] http://w3c.github.io/media-source/
>> [3] https://w3c.github.io/webappsec/specs/mixedcontent/
>> [4] https://w3c.github.io/webappsec/specs/mixedcontent/#
>> category-optionally-blockable
>> [5] http://w3c.github.io/media-source/#sourcebuffer
>> [6] https://fetch.spec.whatwg.org/#response-class
>> [7] http://w3c.github.io/media-source/#sourcebuffer-stream-append-loop
>> [8] https://fetch.spec.whatwg.org/#body
>> [9] https://fetch.spec.whatwg.org/#concept-internal-response
>> [10] http://w3c.github.io/media-source/#sourcebuffer-buffer-append
>> [11] https://w3c.github.io/encrypted-media/
>> [12] https://lists.w3.org/Archives/Public/www-tag/2014Oct/0105.html
>> [13] https://www.youtube.com/
>> [14] https://w3c.github.io/webappsec/specs/mixedcontent/#
>> should-block-fetch
>> [15] https://lists.w3.org/Archives/Public/public-webappsec/
>> 2014Dec/0062.html
>> [16] https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332
>> [17] https://w3ctag.github.io/web-https/
>>
>
Received on Friday, 20 February 2015 18:36:58 UTC