-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COOP inheritance for popups from cross-origin iframes. #8481
Comments
Recording the origin also means being clear on what the origin would look like, in particular with regard to CSP sandboxing. Today, the spec says we're supposed to block CSP sandboxing if put together with COOP. However the initial reasoning does not apply to CSP sandboxing. In Chrome's implementation, I found that we did not block CSP sandbox when used together with COOP, but that we used an opaque origin, only during the response, and not redirects. These inconsistencies can be addressed using this proposal. The document origin would be opaque, but the COOP origin would be the actual origin. This means a page A with COOP: same-origin could navigate to a page A with COOP: same-origin and CSP: sandbox. Openers would be preserved, but DOM access would not be allowed (since one page has origin A and the other and opaque origin). Both redirects and responses would behave the same. |
@annevk for visibility |
It's not clear to me how that deals with initial about:blank which is what I thought the problem was. When you have A embeds B and B popups initial about:blank (which always happens), initial about:blank will have origin B but COOP {value, A}. I don't think we had a credible attack yet, but at that point you do have a browsing context group with two top-level documents of different origins, which violates an invariant we set for ourselves. As for sandboxing, I think the main point around that is that when A sandboxes itself and popups A that has COOP, you don't get in a situation where you are sandboxed. COOP gives some kind of "fresh start guarantee". |
I think we're on the same line then, as the change I mention is only for non sandboxed documents that themselves set CSP sandbox. All inheritance, be it from attribute or CSP would still lead to an error.
In that case the invariant becomes "a browsing context group only ever has a single COOP origin". Regarding the attack vector, what this changes, is that a subframe can now have access to a main frame with the same characteristics. So we need to look at things a top-level document can do, that an iframe cannot. One thing I thought of is Permissions Policy for crossOriginIsolated which could be trivially bypassed, as these are not inherited. Maybe it would be valuable to migrate crossOriginIsolated to a different gating, as it is bound by processes and not permissions, so it seems ill-suited. |
Right, and that invariant is important as in theory the whole browsing context group can run in a single process on lower end devices. Do you have a write-up somewhere for restrict-properties that clearly documents all the requirements? Perhaps we should consider alternative designs. |
Sorry for the loooong delay, I had to switch to another topic. I made a public doc explaining the different options and behaviors, hope that helps! |
Hi @annevk, did you get a chance to look at the explainer with the different options? I'll have to get to this soon for Chrome's COOP: RP implementation :) Thanks! |
Thoughts:
|
Thanks for the read and the feedback! I'll try to address your points:
Sorry , it sounded more imperious than intended! We're indeed still doing the implementation for the experiment phase. Since it is somewhat independent of the rest of the COOP: RP story, I wanted to hear your opinion before committing to a couple of weeks of implementation/review.
I've added clear requirements in the explainer. Quickly summed up:
You're right, we had a look at the capabilities a top-level browsing context would have compared to an iframe with a given origin. What came up was just the crossOriginIsolated permission, and we've tried to address that by having a restriction on the Permissions-Policy for those cases.
I agree to that as well, but unfortunately I don't see another path forward that doesn't significantly reduce the usefulness of the feature.
I've gotten complaints from that as well internally, people would prefer allow-messaging. I'll try to organize something so that we can decide on a final name. Thanks! |
The other thing I want to raise again while we're talking about this is that popups still present a significant privacy challenge we all have to overcome. Adding significant complexity around popups at this time seems like a risky investment. In particular because the use cases we typically discuss are centered around logins, for which FedCM aims to be the solution. Which raises these questions:
|
Hi Anne!
Internally and externally we know about a few, on the top of my head: payments, video conferencing, data visualization, integration with embedded content (like clicking on a meeting link from an email), etc. It seems very unrealistic that we are going to be able to have individual APIs for each usage, as much as I would like to get rid of popups altogether.
We don't yet have a clear story, but we are working on it. I believe @arichiv looked at potential solutions to do communication partitioning for popups, and we'll discuss them in early April. The one we've looked at a bit is about chaining partitioning: a third-party iframe would open popups in the same partitioning, despite it being top-level. |
I hope to share a proposal in the next couple weeks, sorry for the delay getting back here. |
Would it be possible to change the semantics of |
What is the relationship between this and #6364 ? |
Hi everyone!
Currently, we do not inherit COOP for initial empty documents in popups, if they were opened by an iframe that is cross-origin with the top-level document. This is because the origin is inherited from the iframe, and COOP from the top-level frame, which would cause issues down the line.
Imagine we had page A with COOP: same-origin and an iframe B. If B opens a popup, it would inherit COOP: same-origin and origin B, in the same BrowsingContext group, which is not normally possible.
Our initial solution to this problem was to not inherit, and to set noopener if dealing with COOP: same-origin. So currently, if A sets COOP: X and an iframe B opens a popup to C:
X = unsafe-none -> This is a normal popup being opened, without COOP involved.
X = same-origin-allow-popups -> The initial empty document has origin B and COOP: unsafe-none. Navigation to C stays in the same BrowsingContext group, which is the expected behavior for same-origin-allow-popups.
X = same-origin -> We set no-opener. The initial empty document is in a separate BrowsingContext group, with origin B and COOP: unsafe-none.
This approach is not very robust, and works only with the current values. In particular the development of COOP: restrict-properties is blocked by this behavior.
What we propose instead is to group COOP in a tuple with the top-level origin that initially sent the header. Instead of comparing the document origins, we compare {value, origin} tuples of the pages COOP. This means we could always inherit COOP without security risks.
I haven't thought of a case where that wouldn't work as intended. Any feedback is welcome!
The text was updated successfully, but these errors were encountered: