Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

An update on this: The extra input sanitization was merged for M119 behind a feature flag for M119 fenced frame changes. It rejects macros at declaration time whose keys/values use characters that are disallowed in URI components (e.g. &, ?, $, {, } that were most relevant here).

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

LGTM3 On Wed, Sep 6, 2023 at 8:47 AM Yoav Weiss wrote: > LGTM2 > > On Fri, Sep 1, 2023 at 11:54 PM Mike Taylor > wrote: > >> I also had an offline discussion with Daniel to confirm shipping as-is in >> M117, and sanitizing in 118 is acceptable from a security POV (trust but >> verify, etc). >>

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

LGTM2 On Fri, Sep 1, 2023 at 11:54 PM Mike Taylor wrote: > I also had an offline discussion with Daniel to confirm shipping as-is in > M117, and sanitizing in 118 is acceptable from a security POV (trust but > verify, etc). > > LGTM1 to ship. > On 8/31/23 7:55 AM, 'Garrett Tanzer' via blink-dev

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

I also had an offline discussion with Daniel to confirm shipping as-is in M117, and sanitizing in 118 is acceptable from a security POV (trust but verify, etc). LGTM1 to ship. On 8/31/23 7:55 AM, 'Garrett Tanzer' via blink-dev wrote: After some discussion offline, we're going to sanitize the

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

After some discussion offline, we're going to sanitize the macro keys and values with EscapeQueryParamValue so that macro substitution always stays within the original query

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

Hi Daniel, - There are a few relevant call sites in the overall reporting flow: - Declare allowlist of reporting destination origins - This happens in navigator.joinAdInterestGroup(), by an ad auction buyer - Declare macros (key:value correspondences) -

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

Note that these features are targeted at M117. Will defer to gtanzer@ to answer the FFAR questions. On Monday, August 28, 2023 at 9:35:34 AM UTC-4 Daniel Vogelheim wrote: > Hi Liam, > > This intent has come up in the OWP security triage, and I'm trying to > figure out whether there's XSS

Re: [blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

Hi Liam, This intent has come up in the OWP security triage, and I'm trying to figure out whether there's XSS potential in the 3rd sub-feature, "Creative macros in FFAR". This looks like a string-based pattern replacement where the result string will then be parsed by the browser. Similar things

[blink-dev] Intent to Ship: Fenced Frames - Functionality Updates

Contact emails shivani...@chromium.org, d...@chromium.org, jkar...@chromium.org, lbr...@google.com Explainer(s) Send Automatic Beacons Once https://github.com/WICG/turtledove/pull/718 Serializable Fenced Frames Configs - Minor Change, No explainer available. Note: With this change,