- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 21 Jul 2020 11:02:00 +0200
- To: Artur Janc <aaj@google.com>
- Cc: Noam Rosenthal <noam.j.rosenthal@gmail.com>, Yoav Weiss <yoavweiss@google.com>, Camille Lamy <clamy@google.com>, Nasko Oskov <nasko@google.com>, Ilya Grigorik <igrigorik@google.com>, Mike West <mkwst@google.com>, Tab Atkins <tabatkins@google.com>, Kinuko Yasuda <kinuko@google.com>, Ulan Degenbaev <ulan@google.com>, WebAppSec WG <public-webappsec@w3.org>, public-web-perf <public-web-perf@w3.org>
On Mon, Jul 20, 2020 at 10:46 PM Artur Janc <aaj@google.com> wrote: > This is a good point -- it's definitely difficult for developers to understand the impact of revealing a particular bit of metadata about a resource. It's probably worth having some exposition of this in the eventual standard that hopefully makes its way onto MDN and StackOverflow. > As an aside, I like the current formulation of CORP partly because it's somewhat underdefined; the header tells you what can happen ("this requester can / cannot access the resource") but doesn't imply anything else about the resource or its security properties. In a lot of cases, this granularity is perfectly fine, because I'd guess that the bulk of resources loaded in no-cors mode are static or otherwise not sensitive; attaching a security model to this would overcomplicate things. Individual switches will be simpler conceptually, but ironically may be harder to reason about than "is this a static/boring resource or not?". Well, you also have to set it for documents. I definitely see the attraction of a single switch and even having that switch be CORP (though we'd need to do some refactoring to track it for responses across redirects similar to Timing-Allow-Origin, rather than it only being a check for each response we get), but then we're getting in the business of having to categorize safe and unsafe metadata. Maybe that's going to be the case with the other solutions too though. We should write down what this is for and what it is not for. > I wonder if we could have a tiered embedding model where a more powerful mechanism implies all the capabilities of the less powerful ones. As a strawman, ignoring the reasonable concerns about CORP from above: > CORS >> CORP >> [header(s) to expose individual bits of metadata] >> [regular no-cors loads without any opt-ins] > > In this model, if a resource can be loaded via CORS or opts into CORP, it would also let the embedder access resource metadata. Such a model would be "uni-directional" and allow developers to expose resource metadata without requiring them to set CORP. > > This is likely a bad idea because it's making assumptions that aren't necessarily true (for example that a resource loaded via CORS should reveal fine-grained timing metadata). But if *something* along these lines was workable, it could make the developer story simpler; e.g. if you have a resource that isn't sensitive and allow embedding it via CORS/CORP, that would save developers from setting a bunch of different headers for different kinds of metadata. > > But this runs into the concerns mentioned above and I imagine Anne can find some flaws in this logic :) I actually don't mind this model and we in fact reached a similar agreement around Timing-Allow-Origin (before CORP, but if everyone is okay slotting CORP in I won't stand in the way per above). My more general concern is where to draw the line. This is also a problem with the same-origin policy (and continues to be, as earlier arguments around these features demonstrate) and other policies such as secure contexts as everyone deems their feature exception worthy. So basic web platform security requires ongoing vigilance by what appears to be very few people. In conclusion, I wouldn't mind starting out with CORP and attempting to define safe and unsafe metadata and leave more granular control for another day. It'd be great to get input on this from some of the other stakeholders.
Received on Tuesday, 21 July 2020 09:02:32 UTC