Decide how to treat CSP sandbox in COOP #4921
Comments
|
This is an interesting angle I had not considered. There is language that ensures a top-level browsing context with a non-empty popup sandboxing flag set is replaced by a network error if the response being navigated towards in that browsing context has COOP. This to ensure the sandboxing policy is not violated and the COOP policy (which expects a "clean" environment) isn't either. You are asking what should happen if A navigates to A' where both have COOP, but the latter is also sandboxed via CSP. Currently those are not isolated from each other and would not result in a browsing context replacement. I think you're correct that this might be problematic as A' could do a timing attack on A. It's a little weird for A' to have COOP, but it's also not unreasonable to set that origin-wide. cc @whatwg/security |
|
I think this is a question we'll need to answer in HTML. Do we process the CSP header before headers that make "same-site"/"same-origin" assertions, or after those headers? Without thinking about it too hard, I think I agree with @shhnjk's suggestion that we'd process CSP first. It seems like a strong assertion from the server that it wants to reduce the privilege of a given file. One consequence of that conclusion, though, worries me: it seems like we would need to apply the same logic to resources loaded into @arturjanc might have some insight into Google application team's stance on this kind of question? |
|
I'm not sure I understand the concern with (Apparently in Firefox the origin is computed earlier and CSP is taken into account as expected. I'm a little worried if we get other things that can manipulate origin it'll be hard to ensure they all do so at the right time, but perhaps that suggests this should have more dedicated infrastructure. Maybe #4926 helps.) |
I think it was a mistake on my part; ignore me. I forgot that COOP doesn't affect frames, so it's still possible to use COOP, and load content into a sandbox. I'm dumb. |
|
Taking the I am, however, a little worried about the scenario @annevk mentioned above where navigations from a sandbox document to a document with COOP would result in network errors. IIUC this would mean that e.g. links in user-uploaded files served as top-level sandbox documents will stop working when the target applications enable COOP. @annevk, could we instead force a new browsing context group on such navigations, or would that be insufficient? |
|
I think that for a sandboxed top-level document its browsing context's popup sandboxing flag set is empty, unless it opens and navigates a popup. If we think that preserving sandboxing for popups continues to be important (I don't recall the rationale as to why we have it) I think we have to not let |
Does this mean that a sandboxed top-level document could navigate its own window to a document with COOP and it would succeed, but a popup to a document with COOP would result in a network error? If so, that seems like a reasonable trade-off -- also because IIUC it only affects sandboxed documents with |
|
Yeah, that's my understanding of how this works. A frame or a popup can be sandboxed (i.e., their browsing context), but you cannot sandbox an arbitrary top-level browsing context (unless it was created as a popup). In that case it's only the current document that's sandboxed. |
|
I have made two edits related to sandboxing in https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e. It now clearly acknowledges the issue from OP and suggests CSP ought to be taken into account when computing the origin of a response. I also had to make adjustments to when a sandboxed popup becomes a network error due to https://bugzilla.mozilla.org/show_bug.cgi?id=1566868. To selectively quote from a comment there:
|
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
This commit adds the notion of cross-origin opener policy (COOP). COOP allows websites to restrict which origins they share their browsing context group with. annevk wrote a first draft of the behavior of COOP here: https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e. This takes that draft and merges it into the spec, with many updates along the way. Closes whatwg#3740. Closes whatwg#4580. Closes whatwg#4921. Closes whatwg#5172. Co-authored-by: clamy <[email protected]> Co-authored-by: Anne van Kesteren <[email protected]> Co-authored-by: Domenic Denicola <[email protected]>
Any origin served with CSP sandbox (without allow-same-origin) will have opaque origin. But until that response header comes back, browser would not know its origin.
We should probably treat CSP sandboxed page as cross-origin even though the tuple of scheme, host, and port would match. But is it same-site or cross-site?
The text was updated successfully, but these errors were encountered: