Re: Establishing consistent opt-ins to expose resource metadata from Yoav Weiss on 2020-10-19 (public-webappsec@w3.org from October 2020)

From: Yoav Weiss <yoav@yoav.ws>
Date: Mon, 19 Oct 2020 09:05:34 +0200
To: Noam Rosenthal <noam.j.rosenthal@gmail.com>
Cc: Camille Lamy <clamy@google.com>, Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, Yoav Weiss <yoavweiss@google.com>, Nasko Oskov <nasko@google.com>, Ilya Grigorik <igrigorik@google.com>, Mike West <mkwst@google.com>, Tab Atkins <tabatkins@google.com>, Kinuko Yasuda <kinuko@google.com>, Ulan Degenbaev <ulan@google.com>, WebAppSec WG <public-webappsec@w3.org>, public-web-perf <public-web-perf@w3.org>
Message-ID: <CACj=BEiL_pU3wLg4O_F30-usWC9vOrMXcagojEyb0PsGzk_K-A@mail.gmail.com>

Hey WebAppSec folks,

The WebPerfWG plans to discuss this on Thursday
<https://docs.google.com/document/d/1inejuvPONXPOLKTCcUzOBhPh6QOckMcltnR-E3xyZVQ/edit?ts=5f809f01#heading=h.t11egqakzor0>
(9am
PT/6pm CET), and we'd love for y'all to join us! (video link
<https://meet.google.com/gbd-iboz-zyf>).

Cheers :)
Yoav

On Wed, Jul 22, 2020 at 8:45 AM Noam Rosenthal <noam.j.rosenthal@gmail.com>
wrote:

>
>
> On Tue, Jul 21, 2020 at 4:54 PM Camille Lamy <clamy@google.com> wrote:
>
>>
>>
>> On Tue, Jul 21, 2020 at 11:02 AM Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>
>>> On Mon, Jul 20, 2020 at 10:46 PM Artur Janc <aaj@google.com> wrote:
>>> > This is a good point -- it's definitely difficult for developers to
>>> understand the impact of revealing a particular bit of metadata about a
>>> resource.
>>>
>>> > I wonder if we could have a tiered embedding model where a more
>>> powerful mechanism implies all the capabilities of the less powerful ones.
>>> As a strawman, ignoring the reasonable concerns about CORP from above:
>>> > CORS >> CORP >> [header(s) to expose individual bits of metadata] >>
>>> [regular no-cors loads without any opt-ins]
>>> >
>>>
>>
>> The issue I see with this model is that it is not clear that having
>> access to metadata is a less powerful  privilege than setting CORP. To me
>> that could be different for each specific resource. Therefore, it seems to
>> me that access to metadata is in many ways orthogonal from having access to
>> the resource bytes themselves, and doesn't fit well in a linear model.
>>
>
> An example for this is resource-timing. The fact that you're allowing a
> resource to be available to an embedder, doesn't mean that you want the
> embedder to know the details of how long it took to retrieve it.
>
> I see this as OK, however, if we describe CORP in a very permissive way -
> something along the lines of "This is an open resource and the embedder can
> know everything about it", applicable for a lot of the content on the web
> like CDN-delivered images and common JS libraries.
> If CORP (or a different header) is described in this way, An "open"
> resource, then the linear approach can still work IMO.
>
>>

Received on Monday, 19 October 2020 07:06:07 UTC