Breaking the `opener` relationship. from Mike West on 2017-04-27 (public-webappsec@w3.org from April 2017)

From: Mike West <mkwst@google.com>
Date: Thu, 27 Apr 2017 12:57:24 +0200
To: Artur Janc <aaj@google.com>, Alex Russell <slightlyoff@google.com>, Emily Stark <estark@google.com>, Jonathan Watt <jwatt@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=en0SbH2HtZmn2f68TsZbwPDQ1eHS8h=vgHkd+UQvsaRQ@mail.gmail.com>

Forking this off and CCing some folks, as it's a sufficiently interesting
topic on its own.

On Wed, Apr 26, 2017 at 2:28 PM, Artur Janc <aaj@google.com> wrote:

>
>>>    - I'd love a solution to opener disownership that's generic.
>>>
>>> Can you clarify this? I don't understand.
>>
>
> Alex, the CSP3 draft has https://w3c.github.io/webappse
> c-csp/#directive-disown-opener which might be what you're looking for?
> FWIW I'd agree with the note in the spec and this bug
> <https://github.com/w3c/webappsec-csp/issues/194> that this needs some
> more deliberation.
>

As noted, I think that `disown-opener` is the wrong thing for a page to ask
for. Instead, I think something like
`block-cross-origin-access-via-windowproxy-and-etc`
is more accurate. That is, the goal isn't to prevent `window.opener` from
being set on the protected page. The goal instead is to prevent
cross-origin pages that gain a reference to the protected page (e.g. via
`window.open` or `<iframe>` in either direction) to use that reference to
poke the protected page in ways it might not expect.

Assuming that `https://a.com/sekrit` served a response with
`content-security-policy: block-cross-origin-access-via-windowproxy-and-etc`,
I'd expect the following behavior:

1.  `var x = window.open('https://a.com/sekrit')` executed from `
https://evil.com/` would return a `WindowProxy` object, just as it does
today. But, accessing `x.location` or `x.postMessage`, or any of the other
cross-origin attributes would throw a `SecurityError`.

2.  Likewise, `var x = window.open('https://evil.com/')` from `
https://a.com/sekrit` would give `https://evil.com/` a `window.opener`
handle to `https://a.com/sekrit`, but access would throw.

3.  `https://evil.com/` would be able to reach into `<iframe src="
https://a.com/sekrit">` via `frame.contentWindow` to get a `WindowProxy`,
but again we'd block access to the properties/methods.

4.  Likewise, if `https://a.com/sekrit` included `<iframe src="
https://evil.com/">`, the latter would gain a `window.top` handle to `
https://a.com/sekrit`, but access would throw.

It seems like this would be pretty straightforward to define in HTML (add a
flag to the settings object, set it via CSP's initialize steps, check it
somewhere around step 4 of
https://html.spec.whatwg.org/#windowproxy-getownproperty, throw), though I
think Chrome's implementation would be complicated. Firefox might have an
easier time of things given its architecture...

We could, I suppose, even tie this behavior to `window.opener = null` in
order to cut off access in an imperative way, if that turned out to be
desirable.

WDYT?

-mike

Received on Thursday, 27 April 2017 10:58:19 UTC