Re: [blink-dev] Re: Intent to Deprecate and Remove: Same-origin blanket enforcement in CSPEE

2023-10-06 Thread Mike Taylor 
Also, please request cross-functional review bits in the chromestatus 
entries.


On 10/6/23 10:59 AM, Mike Taylor wrote:


LGTM2

On 10/4/23 6:38 AM, Yoav Weiss wrote:

LGTM1

Usage seems low enough to make this safe still.

On Friday, September 29, 2023 at 2:24:11 AM UTC+2 Jun Kokatsu wrote:

Contact emails

jkoka...@google.com


Explainer

None


Specification

https://github.com/w3c/webappsec-cspee/pull/28/files



Summary

Removes a special treatment for same-origin iframes from CSP
Embedded Enforcement. This aligns the behavior of enforcing CSP
Embedded Enforcement for cross-origin iframes and same-origin
iframes.



Blink component

Blink>SecurityFeature>ContentSecurityPolicy




Motivation

The same-origin blanket enforcement logic specific to same-origin
iframes exposes a new way to block certain resources from loading
in the iframe. This allowed an attack which was not possible
before (example

).



Additionally, this caused a bug
where CSP nonce
value enforced by CSPEE from a top frame had to exactly match
nonce value served in grand-child frame, if the top frame and
child frame are cross-origin, but child frame and grand-child
frame are same-origin.


Given this part of blanket enforcement is rarely used (~0.17%
),
let's remove this logic.



Initial public proposal

None


TAG review

None


TAG review status

Not applicable


Risks

Interoperability and Compatibility

None



Gecko: Positive



WebKit: No signal



Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests

?


Yes 


Flag name on chrome://flags

None


Finch feature name

None


Non-finch justification

None


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1263288



Estimated milestones

M120



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5098158594195456



--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org 
.


--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b60a84ef-28d1-471f-9145-5abcdb6befd1%40chromium.org.

Re: [blink-dev] Re: Intent to Deprecate and Remove: Same-origin blanket enforcement in CSPEE

2023-10-06 Thread Mike Taylor 

LGTM2

On 10/4/23 6:38 AM, Yoav Weiss wrote:

LGTM1

Usage seems low enough to make this safe still.

On Friday, September 29, 2023 at 2:24:11 AM UTC+2 Jun Kokatsu wrote:

Contact emails

jkoka...@google.com


Explainer

None


Specification

https://github.com/w3c/webappsec-cspee/pull/28/files



Summary

Removes a special treatment for same-origin iframes from CSP
Embedded Enforcement. This aligns the behavior of enforcing CSP
Embedded Enforcement for cross-origin iframes and same-origin iframes.



Blink component

Blink>SecurityFeature>ContentSecurityPolicy




Motivation

The same-origin blanket enforcement logic specific to same-origin
iframes exposes a new way to block certain resources from loading
in the iframe. This allowed an attack which was not possible
before (example

).



Additionally, this caused a bug
where CSP nonce
value enforced by CSPEE from a top frame had to exactly match
nonce value served in grand-child frame, if the top frame and
child frame are cross-origin, but child frame and grand-child
frame are same-origin.


Given this part of blanket enforcement is rarely used (~0.17%
),
let's remove this logic.



Initial public proposal

None


TAG review

None


TAG review status

Not applicable


Risks

Interoperability and Compatibility

None



Gecko: Positive



WebKit: No signal



Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests

?


Yes 


Flag name on chrome://flags

None


Finch feature name

None


Non-finch justification

None


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1263288



Estimated milestones

M120



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5098158594195456



--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org 
.


--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1c64694-fd27-47fb-8f72-5b3aa102b20d%40chromium.org.