The navigate-to directive
#290
Conversation
|
Bikeshed: "navigate-to". Justification: it's "connect-src", not "connection-src". (I might even go as far as just "navigate" as I'm not sure what the suffix adds.) |
|
I can see I have some concern and I'm not sure what happens when the initiator is not a browsing context (for example a url typed in the box) but I want to ensure that this will never block those navigations. |
index.src.html
Outdated
|
|
||
| 7. A <dfn for="directive" export>navigation response check</dfn>, which takes a | ||
| <a for="/">request</a>, a <a>response</a> and two <a>browsing contexts</a> as | ||
| arguments, and is executed during [[#should-block-navigation-response]]. | ||
| <a for="/">request</a>, a <a>response</a>, two <a>browsing contexts</a>, |
There was a problem hiding this comment.
This also takes a "navigation type" string (either form-submission or other).
index.src.html
Outdated
| <a for="/">request</a>, type string, and two <a>browsing contexts</a> as arguments, and | ||
| is executed during [[#should-block-navigation-request]]. It returns | ||
| "`Allowed`" unless otherwise specified. | ||
| <a for="/">request</a>, `navigation type` string, and two <a>browsing contexts</a>, |
There was a problem hiding this comment.
Nit: Drop the backticks: "navigation type string" seems fine without them. Same below for "check type string".
index.src.html
Outdated
| @@ -1386,7 +1383,31 @@ <h4 id="should-block-navigation-response" algorithm> | |||
|
|
|||
| 1. If |directive|'s <a for="directive">navigation response check</a> | |||
| returns "`Allowed`" when executed upon |navigation request|, |type|, | |||
| |navigation response|, |source|, and |target|, skip to the next | |||
| |navigation response|, |source|, |target|, and "`target`" skip to the next | |||
There was a problem hiding this comment.
I think it's worth adding a note under step 2 above explaining that this piece of the algorithm is useful for directives that allow the response itself to assert something. Perhaps along the lines of:
Some directives, like [=frame-ancestors=], allow a policy delivered with |navigation response| to
act upon the navigation. To support these directives, we walk through the response's CSP list
and allow its directives to process their [=directive/navigation response checks=]
Under the new step 3, you might follow that up with:
Other directives, like [=navigate-to=], allow the policies associated with the navigation's |source|
to act upon the navigation. To support these directives, we walk through the relevant document's
CSP list, and allow its directives to process their [=directive/navigation response checks=].
That framing might also suggest switching the terminology here from "source"/"target" to something like "response"/"source".
index.src.html
Outdated
| |directive|'s <a for="directive">name</a>. | ||
|
|
||
| Note: We use `null` for the global object, as no global exists: | ||
| we haven't processed the navigation to create a Document yet. |
There was a problem hiding this comment.
This makes sense for the target checks. I wonder if we ought to use |source|'s global for the source checks. That might not actually be possible, give the way browsers implement navigation, of course. Chrome might have thrown away the initial context if we're processing a redirect at this point...
index.src.html
Outdated
| we haven't processed the navigation to create a Document yet. | ||
|
|
||
| 3. Set |violation|'s <a for="violation">resource</a> to |navigation | ||
| response|'s <a for="response">URL</a>. |
There was a problem hiding this comment.
This also makes sense for the target checks, but I think it might be wrong for the source checks. We'd want the initial URL of the request that began the navigation. That is, given the chain A => B => C, if C is a violation, we should return A in order to avoid leaking redirect targets. Same logic as the note in step 2 of https://w3c.github.io/webappsec-csp/#create-violation-for-request: something like "|navigation request|'s [=request/url=]" should do it for that section, I think.
index.src.html
Outdated
| 2. If |check type| is "`source`", return "`Allowed`". | ||
|
|
||
| Note: The 'frame-ancestors' <a>directive</a> is relevant only on the | ||
| |target| <a>browsing context</a> and it has no impact on the |source| |
There was a problem hiding this comment.
It's not really relevant to the target browsing context, but to the policies delivered with the response that we're processing.
index.src.html
Outdated
| a document can navigate by any means (<{a}>, <{form}>, `window.location`, | ||
| `window.open`, etc.). The directive's syntax is described by the following ABNF grammar: | ||
| The <dfn export>navigation-to</dfn> directive restricts the {{URL}}s to which | ||
| a <a>document</a> can initiate navigations by any means (<{a}>, <{form}>, `window.location`, |
There was a problem hiding this comment.
I wonder if we should structure this as sitting under form-action? That is, given the policy navigation-to a b c; form-action d, would we allow or deny a form submission to d? It seems like we'd want to allow it.
index.src.html
Outdated
| `navigation-to` Navigation Response Check | ||
| </h5> | ||
|
|
||
| Given a <a for="/">request</a> (|request|), a <a>response</a> (|navigation response|) |
There was a problem hiding this comment.
Nit: This gets the navigation type string as well.
index.src.html
Outdated
| 2. If |check type| is "`target`", return "`Allowed`". | ||
|
|
||
| Note: The 'navigation-to' <a>directive</a> is relevant only on the | ||
| |source| <a>browsing context</a> and it has no impact on the |target| |
There was a problem hiding this comment.
Nit: "relevant to", not "relevant on".
index.src.html
Outdated
|
|
||
| 2. If this directive's <a for="directive">value</a> does not contain a <a>source | ||
| expression</a> that is an <a>ASCII case-insensitive</a> match for | ||
| the "<a grammar>`'only-check-last-endpoint'`</a>" |
There was a problem hiding this comment.
How about 'allow-redirects'? Or, in keeping with the rest of everything in CSP, 'unsafe-allow-redirects'?
|
Thank you @annevk and @mikewest for the feedback. I have addressed all of it (hopefully): renamed I need some help with making sure that this navigation-to check does not affect any out-of-document navigations (eg typing in the omnibox). I assume the source context won't have any policies if it's not a document that initiates the navigation but I could use some help to make sure that is the case. |
There was a problem hiding this comment.
Thanks! A few more thoughts.
I think the tests in web-platform-tests/wpt#9197 reflect the earlier choice to use the target frame's policy rather than the source frame's policy. Will you update those as well?
index.src.html
Outdated
| executed during [[#should-block-navigation-response]]. | ||
| It returns "`Allowed`" unless otherwise specified. | ||
| <a for="/">request</a>, a navigation type string, a <a>response</a>, two | ||
| <a>browsing contexts</a>, a check type string ("`source`" or "`response`"), |
There was a problem hiding this comment.
Listing the values here is nice! Could you do it for the navigation type strings as well ("`form-submission`" or "`other`")?
index.src.html
Outdated
| @@ -608,7 +608,7 @@ <h4 id="framework-directive-source-list">Source Lists</h4> | |||
| ; Keywords: | |||
| <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>" | |||
| / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashed-attributes'</dfn>" / | |||
| / "<dfn>'report-sample'</dfn>" / "<dfn>'only-check-last-endpoint'</dfn>" | |||
| / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>" | |||
There was a problem hiding this comment.
Would you mind adding something like:
ISSUE: Bikeshed `unsafe-allow-redirects`.
Shouldn't block this patch, but we should think about it a bit as a group.
| @@ -1379,12 +1379,15 @@ <h4 id="should-block-navigation-response" algorithm> | |||
| 2. For each |policy| in |navigation response|'s | |||
| <a for="response">CSP list</a>: | |||
|
|
|||
| Note: Some directives (like <a>frame-ancestors</a>) allow a |response|'s | |||
| <a>Content Security Policy</a> to act on the navigation. | |||
There was a problem hiding this comment.
I liked the rest of the explanation I suggested. :) "To support these directives, we walk through the response's CSP list and allow its directives to process their [=directive/navigation response checks=]". Too much explanation?
There was a problem hiding this comment.
It felt like I was using words to describe the steps of the algorithm without adding extra information.
There was a problem hiding this comment.
shrug Ok. I'm fine with clarifying repetition, but if you think it's too much, I'll not push on it.
index.src.html
Outdated
| @@ -1403,22 +1406,27 @@ <h4 id="should-block-navigation-response" algorithm> | |||
|
|
|||
| 3. For each |policy| in |source|'s <a>active document</a>'s <a for="Document">CSP List</a>: | |||
|
|
|||
| Note: Some directives (like <a>navigate-to</a>) need the |response| before | |||
| acting on the navigation. | |||
There was a problem hiding this comment.
I saw the interesting bit here as acting on the policies associated with |source| rather than |response| (or |target|, for that matter).
index.src.html
Outdated
| Note: Depending on the browser's implementation it might not be | ||
| possible to obtain the |source|'s <a>relevant global object</a> | ||
| at this point in time. If that is the case `null` should be used | ||
| instead. |
There was a problem hiding this comment.
I'd drop this note. We're already relying on |source| active document's policy above. If that exists, then from a spec perspective, the global should exist as well. If we need to do some weird monkey patching in Chrome to store the details we need to generate the report, so be it.
index.src.html
Outdated
| 2. If |check type| is "`source`", return "`Allowed`". | ||
|
|
||
| Note: The 'frame-ancestors' <a>directive</a> is relevant only on the | ||
| |target| <a>browsing context</a> and it has no impact on the |source| |
|
The eventual commit message should mention that this fixes #125. |
|
Once this makes it in, I will update the tests in web-platform-tests/wpt#9197 of course. |
There was a problem hiding this comment.
LGTM. Would you mind hopping onto the WebAppSec call this evening to solicit feedback even more explicitly from other folks? :)
Once this makes it in, I will update the tests in web-platform-tests/wpt#9197 of course.
Please update the tests so we can land them at around the same time we put this into the spec.
| @@ -1379,12 +1379,15 @@ <h4 id="should-block-navigation-response" algorithm> | |||
| 2. For each |policy| in |navigation response|'s | |||
| <a for="response">CSP list</a>: | |||
|
|
|||
| Note: Some directives (like <a>frame-ancestors</a>) allow a |response|'s | |||
| <a>Content Security Policy</a> to act on the navigation. | |||
There was a problem hiding this comment.
shrug Ok. I'm fine with clarifying repetition, but if you think it's too much, I'll not push on it.
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66
|
I have separated the tests into their own PR independent of the chrome implementation patch. |
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <[email protected]> Reviewed-by: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#541769}
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <[email protected]> Reviewed-by: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#541769}
PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <[email protected]> Reviewed-by: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#541769}
Automatic update from web-platform-tests'navigate-to' directive tests PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <[email protected]> Reviewed-by: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#541769} wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644
Automatic update from web-platform-tests'navigate-to' directive tests PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <andypaicuchromium.org> Reviewed-by: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#541769} wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 UltraBlame original commit: f9f41a459b9ae92a9b9a6bbef6a759f7550d45c1
Automatic update from web-platform-tests'navigate-to' directive tests PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <andypaicuchromium.org> Reviewed-by: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#541769} wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 UltraBlame original commit: f9f41a459b9ae92a9b9a6bbef6a759f7550d45c1
Automatic update from web-platform-tests'navigate-to' directive tests PR: w3c/webappsec-csp#290 Bug: 805886 Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66 Reviewed-on: https://chromium-review.googlesource.com/934181 Commit-Queue: Andy Paicu <andypaicuchromium.org> Reviewed-by: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#541769} wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 wpt-commits: c36f23851a19457614035e9937d992f36ef434e9 wpt-pr: 9644 UltraBlame original commit: f9f41a459b9ae92a9b9a6bbef6a759f7550d45c1
There has been talk at TPAC about this and there is some generally positive feedback around this explainer I sent earlier.
WDYT?
Also who else should be added?
Preview | Diff