-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use "least restrictive" directive instead of prefetch-src
#582
Conversation
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important. e.g. if this resource is a script and would be disallowed by `script-src`, the directive would be invoked again when the response is about to be consumed and would be rejected then. The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it. Closes w3c#542
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like a reasonable direction to me. I'd like to find a way to include DNS prefetch / preconnect as well. Perhaps we can hand-wave at that in a security considerations section, since I don't think the fetch hooks exist at the moment?
@@ -2703,74 +2701,6 @@ this algorithm returns normally if compilation is allowed, and throws a | |||
|
|||
4. Return "`Allowed`". | |||
|
|||
<h4 id="directive-prefetch-src">`prefetch-src`</h4> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'll also need to modify https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request and https://w3c.github.io/webappsec-csp/#directive-fallback-list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
I will add a non-handwavy thing for preconnect in fetch, no need to handwave. Probably create a "fake" request just for the purpose of checking it against the policy. I don't know if |
|
OK then. |
(Defining |
Totally, it's on my list after we finish |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some suggestions, but this generally looks good.
Have you talked to other vendors about their opinion on this change? Are tests in progress?
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Co-authored-by: Mike West <[email protected]>
Waiting for a response from Mozilla folks to this Standards position comment, and for Apple's position on some of the details. I wanted to reach a bit of consensus before proceeding to the tests, but perhaps this is a good time. |
Instead of relying on `prefetch-src`, we rely on the least restrictive directive in the policy. Tests w3c/webappsec-csp#582
Tests: web-platform-tests/wpt#37715 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @noamr. I'm happy with this PR based on the tests you linked and WebKit's apparent approval in WebKit/standards-positions#114 (comment).
You'll need to join WebAppSec to make the IPR bot happy. Perhaps you can take care of that before I land this?
Done |
SHA: 54ae572 Reason: push, by mikewest Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
It was removed by CSP: w3c/webappsec-csp#582.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
w3c/webappsec-csp#582 dropped prefetch-src from the CSP spec.
As per w3c/webappsec-csp#582, prefetch-src has now been deprecated.
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important.
e.g. if this resource is a script and would be disallowed by
script-src
, the directive would be invoked again when the response is about to be consumed and would be rejected then.The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it.
Closes #542