Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have CORP check rely on request's response tainting rather than request's mode #985

Closed
yutakahirano opened this issue Dec 18, 2019 · 5 comments

Comments

@yutakahirano
Copy link
Member

Brought up at https://chromium-review.googlesource.com/c/chromium/src/+/1971810, related with w3c/ServiceWorker#1490.

We would like to run the CORP check in CacheStorage for COEP (w3c/ServiceWorker#1490), but currently the CORP check relies on the request mode which is not directly accessible there. request's response tainting is stored as response type and we can use it. What do you think about changing the first item as follows?

If request's response tainting is not "opaque", then return allowed.

In the CacheStorage spec, we will restore a request for the CORP check as follows:

  • Let request be a new request.
  • Set request's URL to the given URL.
  • Set request's origin to the current realm's origin
  • Set request's response tainting to
    • "basic" if response's type is "basic", "default" or "opaqueredirect"
    • "opaque" if response's type is "opaque"
    • "cors" if response's type is "cors"

@ArthurSonzogni @wanderview @annevk

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT.

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT.

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 18, 2019
[PROTOTYPE] => DO NOT COMMIT.

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 19, 2019
[PROTOTYPE] => DO NOT COMMIT.

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 19, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 19, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 19, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 20, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug:1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
@annevk
Copy link
Member

annevk commented Dec 20, 2019

Given the check the only caller does today is

If httpRequest’s response tainting is not "cors"

per https://fetch.spec.whatwg.org/#ref-for-cross-origin-resource-policy-check perhaps that initial step

If request’s mode is not "no-cors", then return allowed.

is even redundant?

I think we should investigate how this should change together with the change to enforce this for a service worker response.

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 20, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug: 1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Ben Kelly <wanderview@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#726782}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 20, 2019
Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug: 1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Ben Kelly <wanderview@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#726782}
@yutakahirano
Copy link
Member Author

Yes, that is a possible approach. Do you think it's better?

Regarding the service worker response, it is now part of https://github.com/mikewest/corpp.

@annevk
Copy link
Member

annevk commented Jan 3, 2020

I think I would prefer putting all the checks in Fetch, if possible (Fetch gets the response from the service worker and can do it, after all), rather than putting security checks in Service Workers for this.

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Jan 3, 2020
…estonly

Automatic update from web-platform-tests
COEP: Enforce CORP in cache.match()

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug: 1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Ben Kelly <wanderview@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#726782}

--

wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd
wpt-pr: 20840
xeonchen pushed a commit to xeonchen/gecko that referenced this issue Jan 3, 2020
…estonly

Automatic update from web-platform-tests
COEP: Enforce CORP in cache.match()

Document using:
"Cross-Origin-Embedder-Policy: require-corp"
must not access cross-origin response that do not have the header:
"Cross-Origin-Resource-Policy: cross-site"

This is about only no-cors requests. CORS requests are checked against the
CORS headers instead.

See:
 - whatwg/fetch#985
 - w3c/ServiceWorker#1490

Bug: 1031542
Change-Id: I94a2cb9435fcf3e76f57a8f3d3344c87fa23f9a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1973913
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Ben Kelly <wanderview@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#726782}

--

wpt-commits: 236e6dbc70e128ab5ff5bad6ab98888281df8ffd
wpt-pr: 20840
@yutakahirano
Copy link
Member Author

I prefer running a CORP check in cache.match(w3c/ServiceWorker#1490), which means calling it from the SW spec.

@annevk
Copy link
Member

annevk commented Jan 10, 2020

Fair, I guess that would be the exception, but I don't think we need it for respondWith().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants