Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Same-origin policy & observing no-cors fetches #27

Closed
igrigorik opened this issue Jul 7, 2015 · 17 comments · Fixed by #30
Closed

Same-origin policy & observing no-cors fetches #27

igrigorik opened this issue Jul 7, 2015 · 17 comments · Fixed by #30
Labels
security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@igrigorik
Copy link
Member

An attacker attacker.example can figure out what resources a stylesheet target.example loads by including it on attacker.example and using either the resource timing (shipped) or service worker (about to ship) API. This violates SOP. (@annevk)
@igrigorik igrigorik changed the title Same-origin policy & observing fetches Jul 7, 2015
@igrigorik igrigorik mentioned this issue Jul 7, 2015
Open
@toddreifsteck
Copy link
Member

Has a test case to validate this hole in Chrome/Firefox been created? I'd like to re-use it to validate Microsoft browsers.
@igrigorik
Copy link
Member Author

@toddreifsteck see: http://krijnhoetmer.nl/irc-logs/whatwg/20150703#l-313
@igrigorik
Copy link
Member Author

Oh, and I believe this is the corresponding WebKit bug, since I don't see it linked in the paper:
https://bugs.webkit.org/show_bug.cgi?id=29820 (@davidben, w3c/ServiceWorker#719 (comment))
@davidben
Copy link

Er, to clarify, that's not the corresponding WebKit bug for this stuff. It's the corresponding WebKit bug to this paper, https://www.linshunghuang.com/papers/css.pdf, which is an example of cross-origin CSS info leakage being a concrete problem in the past.

ETA: Full context for my quoted comment:

Oh yuck. Yeah, I think I agree with Anne that we should remove these requests from SW and Resource Timing unless you add the crossorigin attribute. These kinds of "the contents are secret, but if they happen to parse as foo, you can execute it" security policies are super-hairy. We shouldn't add new ones.

In fact, cross-origin CSS has already bitten us in the past because the CSS parser is extremely error-tolerant. See https://www.linshunghuang.com/papers/css.pdf
@toddreifsteck
Copy link
Member

Microsoft agrees this should be explicitly called out in the spec and blocked.
@igrigorik
Copy link
Member Author

Looking at the plumbing, I think step 3 in processing is where we need to restrict this behavior:

For each resource fetched by the current browsing context, perform the following steps...

That said, I'm not sure about the correct language to carve out ~"fetches initiated by Documents fetched with no-cors flag". @annevk any suggestions on this one?
@annevk
Copy link
Member

annevk commented Jul 17, 2015

The way this should really work is through the fetch registry I think. Resource timing would hook into that. Then we need CSS to be defined in terms of Fetch and set some kind of "opaque request flag" for no-CORS CSS subresources. And the fetch registry has a view that doesn't expose opaque requests which all APIs would be required to use.

Until that time, calling out no-CORS CSS somehow and saying we're waiting for everything to be written in terms of Fetch seems like the best monkey patch you can do, but I'm open to suggestions.
@igrigorik
Copy link
Member Author

Ok, for time being, how about..

For each resource fetched by the current browsing context, excluding resources fetched by cross-origin CSS documents fetched with no-cors policy, perform the following steps...
@davidben
Copy link

Nit: Unless we've already lost that game (but skimming around, it doesn't seem to be the case), we shouldn't call anything a "CSS document". A document is a very particular kind of object with a whole lot of semantics attached to it. CSS does not create those things.
@igrigorik
Copy link
Member Author

@davidben I'm not clear on what you mean with "CSS does not create those things".. Are you suggesting I strike the "document" part and simply refer to it as "fetched by cross-origin CSS resources fetched with.."?
@annevk
Copy link
Member

annevk commented Jul 18, 2015

Yes, use "cross-origin CSS resource" or "cross-origin stylesheets".
@annevk
Copy link
Member

annevk commented Jul 18, 2015

I would also appreciate a note about refactoring that in terms of Fetch down the line, so that those implementing might do the right thing.
igrigorik added a commit that referenced this issue Jul 20, 2015
@igrigorik
exclude no-cors cross-origin stylesheet subresources
f0125c2 
closes #27
@igrigorik igrigorik mentioned this issue Jul 20, 2015
Merged
@igrigorik
Copy link
Member Author

@annevk ptal: #30
@annevk
Copy link
Member

annevk commented Jul 20, 2015

Yeah looks good. Though you might want to point to https://fetch.spec.whatwg.org/#concept-fetch instead of HTML, since the HTML definition doesn't handle a number of things, and doesn't call it "no-cors".
@igrigorik
Copy link
Member Author

Good call, fixed: f7ce98a
@yoavweiss
Copy link
Contributor

Was a test for this ever added to web-platform-tests?
@toddreifsteck toddreifsteck mentioned this issue Oct 12, 2016
Closed
@plehegar plehegar added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label Oct 12, 2016
@hiroshige-g
Copy link

WPT

https://wpt.fyi/results/resource-timing/no-entries-for-cross-origin-css-fetched.sub.html

according to https://chromium-review.googlesource.com/c/chromium/src/+/3781346 and the CL will fix the behavior on Chrome.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
7 participants
@igrigorik @davidben @yoavweiss @plehegar @annevk @toddreifsteck @hiroshige-g