W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: Suborigin update

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 16 Nov 2015 02:27:23 +0000
Message-ID: <CAHQV2Km8t+NDngfBJPH=RECXoMw4j50NB_pRP_bY+eqqZPOmAg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Artur Janc <aaj@google.com>
And we're back on the schedule for tomorrow, so we can discuss some of the
points there :-)
--Joel

On Sun, Nov 15, 2015 at 6:18 PM Joel Weinberger <jww@chromium.org> wrote:

> First of all, it appears I may have my dates mixed up, and I don't think
> we'll be discussing Suborigins at tomorrow's meeting. But I'm still glad we
> have this conversation going :-)
>
> Many comments to respond to, so I'll try to go through them. Jas's
> comments first. Thanks for the points! I meant to cover a few of them, and
> I just didn't think of it.
>
>    - Re: Workers and Service Workers- Workers from a Suborigin will be
>    treated as belonging to the Suborigin tuple, not the Origin tuple. Our
>    proposal for SWs for now is special. Namely, Suborigins cannot install
>    them, and SWs installed by an Origin can still intercept requests/responses
>    to/from the Suborigin, but we'll definitely need input from an SW expert to
>    solidify this.
>    - Re: X-Frame-Options: We haven't explicitly discussed this, so I'm
>    certainly open to suggestions. My offhand suggestion would be to apply any
>    X-Frame-Options to an Origin tuple to all Suborigin tuples with match
>    scheme/host/port. This seems simplest for backwards compatibility.
>    - Re: document.domain: I believe we discussed simply disabling the
>    setting of document.domain from a Suborigin, but again, this was more
>    offhand discussion than anything.
>
> To Anne's comment on localStorage: I certainly think that disabling
> localStorage is a sensible place to start, although it's not hard to
> imagine many applications needing it to be useful.
>
> To Dev's comment on cookies:
> I like the suggestion of an unsafe-cookie as a mandatory v1 opt-in, since,
> I agree, there are other setups that can be useful in the future. Can you,
> perhaps, help us outline precisely the set of requirements around cookie
> setting and reading that you think would be reasonable? I believe from
> Artur's perspective, he *does* want readable cookies, but I'll have to let
> him speak for himself on this one, since offhand, it does sound like
> sending the cookies without a readable document.cookie makes sense.
>
> To Dev's comments on preflights:
> I think you're right that we should probably only do it for complex
> requests. Yes, it's a big hammer for XHR and Fetch, but unfortunately we
> couldn't think of a better way to do it. Since Suborigins are defined upon
> response, we can't actually know if a request is safe to make unless the
> server tells us it is safe to make. Thus, we need to do a preflight to get
> back the Suborigin information for that request.
>
> From the app's perspective, it has to assume that the browser is *not*
> running in a Suborigin enabled browser, since who knows which browsers will
> support it. However, the idea should be that if they always send Suborigin
> headers they should get the Suborigin separation *if* they browser supports
> it.
>
> Dev, can you clarify your question about '*' responses and
> withCredentials? I don't quite follow it.
> --Joel
>
> On Sat, Nov 14, 2015 at 1:26 PM Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>
>> > - document.cookie is necessary for applications to keep working without
>> > requiring users to sign into every part of your website separately.
>> > Security-wise it's on par with existing behavior (cookies being shared
>> > between subdomains) so we believe it's a reasonable default. That having
>> > been said, I wouldn't be surprised based on comments from Dev that we'll
>> > eventually want to build an opt-out to give a Suborigins a unique cookie
>> > jar.
>>
>> Would a cookie set by top level domain be readable though? That's what
>> was I was really not ok with and that is also not par with current
>> sub-domain behavior.
>>
>> Additionally, I like the current sub-domain behavior has been a
>> forever source of pain and so extending it doesn't sound like a great
>> idea.
>>
>> I can understand this being a requirement though. I am just not a fan
>> of making it the default. Allowing it through some 'unsafe-cookie'
>> sort of opt-in (an opt-in we make mandatory in v1) seems more
>> reasonable to me.
>>
>>
>> > In the case of XHR/Fetch, our solution is to send a CORS preflight for
>> all
>> > XHR/Fetch calls from a Suborigin, and we'll add a Suborigin header. Then
>> > we'll require that the response has an Access-Control-Allow-Suborigin
>> header
>> > that lists the requesting Suborigin (or, alternatively, a '*' response
>> to
>> > Access-Control-Allow-Origin).
>>
>> This seems a big hammer. While secure, the perf impact of pre-flight
>> is terrible and applications go out of their way with some horrible
>> hacks to avoid it. At the least, why not inherit existing behavior:
>> preflight only for complex requests?
>>
>> Also, how will * response work? Will the request be sent with a
>> cookie? Does the app set request.withCredentials to false? How would
>> the app know whether it is running in a browser with subOrigin support
>> and needs to set that flag?
>>
>> > Importantly, the app
>> > will need to have the cookie because otherwise you'd stop being logged
>> in
>> > and it would suck for usability.
>>
>> I am still confused why the app needs document.cookie though. The
>> cookie is sent with the request.
>>
>> ~dev
>>
>
Received on Monday, 16 November 2015 02:28:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC