Re: [suborigins] serializing of origins from Mike West on 2017-04-11 (public-webappsec@w3.org from April 2017)

From: Mike West <mkwst@google.com>
Date: Tue, 11 Apr 2017 12:00:52 +0200
To: Jochen Eisinger <eisinger@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=dawDBqvmMMtBXYXEzz4ZHyUAPVAoTswcaShWt-Thy-2w@mail.gmail.com>

+Dev, who I hope will have informed opinions about how Dropbox would like
to be using suborigins.

I think getting rid of the serialization change would be a win. The new
scheme has caused some weirdness in Blink's implementation, especially its
integration with other layers of the system that shouldn't really need to
know anything about suborigins.

Dev will correct me, I hope, but AFAIK the goal of the serialization scheme
is to ensure that applications that are not suborigin-aware fail closed
when a suborigin tries to talk to them. That is, when `https://example.com/`
with a suborigin of `foo` tries to `postMessage()` to another page on `
https://example.com/`, then simply checking the message's `origin`
attribute against `https://example.com/` should fail. Likewise for `origin`
header checks.

Another approach to those two cases would be what you suggest at the end of
your email: set the `origin` attribute of a `MessageEvent` from a suborigin
to `null` (not the string "null", but the object `null`), and add more
attributes to allow folks to do reasonable comparisons. It strikes me that
the `initiator` property you're suggesting might also be an opportunity to
stuff the `domain` into the `MessageEvent`, which might be independently
valuable. Hrm.

For the `Origin` header, it seems like we're already failing closed if
`Access-Control-Allow-Suborigin` isn't present in the response, right? If
that's the case, then why not add a `Suborigin` header to the request? (I
think this is basically what issue 11 in the spec is suggesting).

-mike

On Fri, Apr 7, 2017 at 10:11 AM, Jochen Eisinger <eisinger@google.com>
wrote:

> Hey all,
>
> I started to look at our suborigin implementation in blink, and one of the
> things I was stumbling over was the serialization of an origin with a
> suborigin, i.e. (scheme, host, port, suborigin) getting serialized to
> ${scheme}-so://${suborigin}.${host}:${port}/
>
> It seems that the main reason for doing this is to break postMessage for
> code that is not aware of suborigins. Is that the case?
>
> If that was the case, have we considered other ways to break this, e.g.
> make origin return the null value and add instead a new property to message
> (e.g. initiator with two properties origin and suborigin)?
>
> best
> -jochen
>

Received on Tuesday, 11 April 2017 10:01:45 UTC