From ee2fccba3cb7728021d08d40f2bc04acd4b84d48 Mon Sep 17 00:00:00 2001 From: Robbie McElrath Date: Fri, 9 Aug 2024 17:16:49 -0700 Subject: [PATCH] Redo integrity verification in IsolatedContext spec (#44) This addresses the issues raised by @domfarolino in #42 regarding how the spec was tying integrity verification to browsing context group. Rather than attaching integrity verification information to browsing context group, which doesn't exist for all environments, this moves the information to a user agent level map. --- isolated-contexts.bs | 71 +++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/isolated-contexts.bs b/isolated-contexts.bs index 0e9365d..0e9afc2 100644 --- a/isolated-contexts.bs +++ b/isolated-contexts.bs @@ -388,20 +388,25 @@ the associated [=environment settings object/global object=]. ### Integrity ### {#html-integrity} -A [=browsing context group=] has an -integrity origin, which is an [=origin=] or `null`. - -A [=browsing context group=] has an -integrity verification algorithm, which is `null` or an +An integrity verification algorithm is an [=implementation-defined=] algorithm that accepts a [=request=] and a -[=response=], and returns a [=boolean=]. A [=browsing context group=]'s -[=integrity verification algorithm=] MUST be non-null if its -[=integrity origin=] is non-null. +[=response=], and returns a [=boolean=]. Note: A typical [=integrity verification algorithm=] might verify that a response body hashes to an expected value, or that it originated from a known bundle of resources. +A [=user agent=] holds an origin integrity verification map, +which is a [=map=] of [=tuple origins=] to +[=integrity verification algorithms=]. + +Note: How user agents populate the [=origin integrity verification map=] is +outside the scope of this specification, which is focused on the properties +needed to establish integrity and isolation. +Isolated Web Apps +provide one possible implementation by basing this map on the set of installed +Isolated Web Apps. + ### Environment Settings Object properties ### {#html-environment-properties}
@@ -427,20 +432,15 @@ these properties will not mutate during an environment's lifetime.
An [=environment settings object=] |environment| is an isolated context if the following algorithm returns `true`: - 1. Let |browsing context group| be the [=browsing context group=] that - |environment| belongs to. 1. If |environment| does not [=environment settings object/meaningfully mitigate injection attacks=], return `false`. - 1. If |environment|'s [=cross-origin isolated capability=] is not - [=concrete=], return `false`. + 1. If |environment|'s [=cross-origin isolated capability=] is + not [=concrete=], return `false`. 1. If |environment| does not [=environment settings object/mitigate UI Redressing attacks=], return `false`. - 1. If |browsing context group|'s [=browsing context group/integrity - origin=] is null, return `false`. - 1. Let |integrity origin| be |browsing context group|'s - [=browsing context group/integrity origin=]. - 1. If |environment|'s [=origin=] is not [=same origin=] with |integrity - origin|, return `false`. + 1. Let |origin| be |environment|'s [=origin=]. + 1. If the [=user agent=]'s [=origin integrity verification map=][|origin|] + does not [=map/exist=], return `false`. 1. Return `true`.
@@ -459,24 +459,14 @@ and a [=response=] |response|, run these steps. Possible return values are
  1. Let |client| be |request|'s [=request/client=].
  2. If |client| is `null`, return "`not applicable`".
    3. +
  3. Let |origin| be |request|'s [=request/origin=].
  4. - Let |browsing context group| be the [=browsing context group=] that - |client| belongs to. + If the [=user agent=]'s [=origin integrity verification map=][|origin|] + does not [=map/exist=], return "`not applicable`".
  5. - Let |integrity origin| be |browsing context group|'s [=integrity origin=]. -
    6. -
  6. - Let |integrity verification algorithm| be |browsing context group|'s - [=integrity verification algorithm=]. -
    7. -
  7. - If |integrity origin| or |integrity verification algorithm| are `null`, - return "`not applicable`". -
    8. -
  8. - If |request|'s [=request/origin=] is not [=same origin=] with |integrity - origin|, return "`not applicable`". + Let |integrity verification algorithm| be the [=user agent=]'s + [=origin integrity verification map=][|origin|].
  9. If |response|'s [=response/body=] is `null`, return "`invalid`". @@ -612,8 +602,10 @@ after similarly handling [{{CrossOriginIsolated}}] (step 4 below). ## Storage ## {#monkey-storage} The [=obtain a storage key for non-storage purposes=] algorithm is extended to -require double-keying on all storage within a [=browsing context group=] -containing [=Isolated Contexts=]. +require double-keying on all storage belonging to an + +environment with a [=top-level origin=] known by the [=user agent=] to have +an [=integrity verification algorithm=].
    To obtain a storage key for non-storage purposes, given an @@ -628,13 +620,12 @@ environment |environment|, run these steps:
  10. - Let |integrity origin| be the [=browsing context group/integrity origin=] - of the [=browsing context group=] that |environment| belongs to. + Let |top-level origin| be |environment|'s [=top-level origin=].
    11. -
  11. - If |integrity origin| is non-null, return a [=tuple=] consisting of - |integrity origin| and |origin|. + If the [=user agent=]'s [=origin integrity verification map=] + [|top-level origin|] [=map/exists=], return a [=tuple=] consisting of + |top-level origin| and |origin|.