From 8406e479d873aaa9c8b6f1548784a890d794b3cf Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 3 May 2021 18:33:13 +0200 Subject: [PATCH 01/16] Specify the behavior of `COEP: credentialless`, (Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (https://github.com/whatwg/html/pull/6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: https://github.com/whatwg/html/issues/6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: https://github.com/whatwg/html/issues/6637 --- fetch.bs | 50 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index a1d323376..9e9c2142b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1892,6 +1892,25 @@ source of security bugs. Please seek security review for features that deal with exclude fragment set to true. +

To check Cross-Origin-Embedder-Policy allows credentials, given a +request request, run theses steps: + +

    +

  1. If request's mode is not no-cors", return + true.

    + +

  2. If request's client is null, return true.

    + +

  3. If request's client's embedder policy is not + "credentialless", return true.

    + +

  4. If request's origin is not same origin with + request's client's origin, + return true.

    + +

  5. Return false.

    +

Responses

@@ -1978,6 +1997,10 @@ initially unset. being provided to an API that didn't make a range request. See the flag's usage for a detailed description of the attack. +

A response has an associated request-include-credentials, which is +initially set. +

A response has an associated timing allow passed flag, which is initially unset. @@ -3507,9 +3530,22 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

  • If policy is neither `same-origin`, `same-site`, nor `cross-origin`, then set policy to null. -

  • If policy is null and embedderPolicyValue is - "require-corp", then set policy to - `same-origin`. +

  • If policy is null, switch on embedderPolicyValue: +

    +
    `unsafe-none` +
    `credentialless` +
    Set policy to `same-origin` if one of the + following is true: + + +
    `require-corp` +
    Set policy to `same-origin`. +
    +

  • Switch on policy: @@ -4668,6 +4704,10 @@ steps. They return a response.

    is true; otherwise false. +

  • +

    If Cross-Origin-Embedder-Policy allows credentials with + request is false, set includeCredentials to false.

    +

  • Let contentLength be httpRequest's body's length, if httpRequest's body is non-null; otherwise null. @@ -5028,6 +5068,9 @@ steps. They return a response.

  • If httpRequest's header list contains `Range`, then set response's range-requested flag. +

  • Set response's request-include-credentials to + includeCredentials. +

  • If response's status is 401, httpRequest's response tainting is not "cors", includeCredentials is @@ -7843,6 +7886,7 @@ Arkadiusz Michalski, Arne Johannessen, Artem Skoretskiy, Arthur Barstow, +Arthur Sonzogni, Asanka Herath, Axel Rauschmayer, Ben Kelly, From c95a1e5e4229c1213abb81b9ddbf73da20ffaf3f Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 31 May 2021 16:50:13 +0200 Subject: [PATCH 02/16] Remove ambiguity in the switch. --- fetch.bs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fetch.bs b/fetch.bs index 9e9c2142b..ec8fa8d5b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3533,6 +3533,8 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

  • If policy is null, switch on embedderPolicyValue:

    `unsafe-none` +
    Do nothing. +
    `credentialless`
    Set policy to `same-origin` if one of the following is true: From ab4c380a2ed749f67e8fb3a8ca9768d307f38b13 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 7 Jun 2021 15:28:13 +0200 Subject: [PATCH 03/16] Fix the CORP check. --- fetch.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index ec8fa8d5b..f4b09e012 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3539,8 +3539,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or
    Set policy to `same-origin` if one of the following is true: From 55c97fa224b9237250efc8642c95159c3a006cbf Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 9 Jun 2021 13:29:42 +0200 Subject: [PATCH 04/16] Address Yutaka comment (invert same-origin check) --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index f4b09e012..13fd691a7 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1905,7 +1905,7 @@ source of security bugs. Please seek security review for features that deal with object">embedder policy is not "credentialless", return true.

    -

  • If request's origin is not same origin with +

  • If request's origin is same origin with request's client's origin, return true.

    From 4a1c72dca94fed515f90a61bf21e57d02185c609 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 9 Jun 2021 16:03:01 +0200 Subject: [PATCH 05/16] Address Yutaka comment #2 --- fetch.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index 13fd691a7..99c1a22ef 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1905,9 +1905,9 @@ source of security bugs. Please seek security review for features that deal with object">embedder policy is not "credentialless", return true.

    -

  • If request's origin is same origin with - request's client's origin, - return true.

    +

  • If request's client's origin is same origin with request's current URL's origin, return true.

  • Return false.

    @@ -7887,7 +7887,7 @@ Arkadiusz Michalski, Arne Johannessen, Artem Skoretskiy, Arthur Barstow, -Arthur Sonzogni, +Arthur Sonzogni, , Asanka Herath, Axel Rauschmayer, Ben Kelly, From 5c9029418a02c88c89aa6b3353d5c3e373d0f17c Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 14 Jun 2021 15:55:17 +0200 Subject: [PATCH 06/16] Address Yutaka comment. --- fetch.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index 99c1a22ef..9b4391f09 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1905,9 +1905,9 @@ source of security bugs. Please seek security review for features that deal with object">embedder policy is not "credentialless", return true.

    -

  • If request's client's origin is same origin with request's current URL's origin, return true.

    +

  • If request's origin is same origin + with request's current URL's origin, return true.

  • Return false.

    From 4d8cb48bbdfb89c651cc131e63bb044ec33cd566 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 14 Jun 2021 16:02:18 +0200 Subject: [PATCH 07/16] Verify & fix newlines. --- fetch.bs | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/fetch.bs b/fetch.bs index 9b4391f09..35db6fee3 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1892,8 +1892,8 @@ source of security bugs. Please seek security review for features that deal with exclude fragment set to true. -

    To check Cross-Origin-Embedder-Policy allows credentials, given a -request request, run theses steps: +

    To check Cross-Origin-Embedder-Policy allows credentials, given a request request, run theses steps:

    1. If request's mode is not no-cors", return @@ -1902,12 +1902,11 @@ source of security bugs. Please seek security review for features that deal with

    2. If request's client is null, return true.

    3. If request's client's embedder policy is not - "credentialless", return true.

      + object">embedder policy is not "credentialless", return true.

      -

    4. If request's origin is same origin - with request's current URL's origin, return true.

      +

    5. If request's origin is same origin with + request's current URL's origin, return true.

    6. Return false.

    @@ -3536,8 +3535,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or
    Do nothing.
    `credentialless` -
    Set policy to `same-origin` if one of the - following is true: +
    Set policy to `same-origin` if one of the following is true:
    • response's request-include-credentials is true.
    • forNavigation is true. @@ -4705,9 +4703,8 @@ steps. They return a response.

      is true; otherwise false. -

    • -

      If Cross-Origin-Embedder-Policy allows credentials with - request is false, set includeCredentials to false.

      +

    • If Cross-Origin-Embedder-Policy allows credentials with request is + false, set includeCredentials to false.

    • Let contentLength be httpRequest's body's length, if httpRequest's body is non-null; From a7b9b13ace675abaaedd0a74b2bfabe6603fc4f0 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Thu, 17 Jun 2021 09:25:59 +0200 Subject: [PATCH 08/16] Address Yutaka comments #4. --- fetch.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fetch.bs b/fetch.bs index 35db6fee3..bf9ee8c01 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1902,8 +1902,8 @@ for=/>request request, run theses steps:

    • If request's client is null, return true.

    • If request's client's embedder policy is not "credentialless", return true.

      + object">embedder policy is not + "credentialless", return true.

    • If request's origin is same origin with request's current URL's origin, return true.

      @@ -1997,8 +1997,8 @@ being provided to an API that didn't make a range request. See the flag's usage description of the attack.

      A response has an associated request-include-credentials, which is -initially set. +id=concept-response-request-include-credentials>request-include-credentials (a boolean), which +is initially true.

      A response has an associated timing allow passed flag, which is @@ -4703,7 +4703,7 @@ steps. They return a response.

      is true; otherwise false. -

    • If Cross-Origin-Embedder-Policy allows credentials with request is +

    • If Cross-Origin-Embedder-Policy allows credentials with request returns false, set includeCredentials to false.

    • Let contentLength be httpRequest's body's From 7678aa6c9f3520875e24bd9e2cf1136f08bf0c7c Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Tue, 6 Jul 2021 15:30:20 +0200 Subject: [PATCH 09/16] Address Yutaka comments. --- fetch.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fetch.bs b/fetch.bs index bf9ee8c01..add07b554 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1892,8 +1892,8 @@ source of security bugs. Please seek security review for features that deal with exclude fragment set to true. -

      To check Cross-Origin-Embedder-Policy allows credentials, given a request request, run theses steps: +

      To check Cross-Origin-Embedder-Policy allows credentials, given a +request request, run theses steps:

      1. If request's mode is not no-cors", return @@ -1996,9 +1996,9 @@ initially unset. being provided to an API that didn't make a range request. See the flag's usage for a detailed description of the attack. -

        A response has an associated request-include-credentials (a boolean), which -is initially true. +

        A response has an associated +request-include-credentials +(a boolean), which is initially true.

        A response has an associated timing allow passed flag, which is From 2868bcdd7253c9ce9ec55037eb38a0218f1fb84b Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Tue, 14 Sep 2021 14:59:12 +0200 Subject: [PATCH 10/16] Address annevk@ comments. --- fetch.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index add07b554..df90deed4 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1901,9 +1901,8 @@ source of security bugs. Please seek security review for features that deal with

      2. If request's client is null, return true.

        -

      3. If request's client's embedder policy is not - "credentialless", return true.

        +

      4. If request's client's embedder policy + is not "credentialless", return true.

      5. If request's origin is same origin with request's current URL's origin, return true.

        @@ -3529,7 +3528,8 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

      6. If policy is neither `same-origin`, `same-site`, nor `cross-origin`, then set policy to null. -

      7. If policy is null, switch on embedderPolicyValue: +

      8. +

        If policy is null, switch on embedderPolicyValue:

        `unsafe-none`
        Do nothing. From 541926e90c07d22f4961aba04f89abfef9e4bea4 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 20 Sep 2021 15:15:25 +0200 Subject: [PATCH 11/16] Address annevk@ comment about redirects. --- fetch.bs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index df90deed4..367ba84e3 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1905,7 +1905,8 @@ source of security bugs. Please seek security review for features that deal with is not "credentialless", return true.

      9. If request's origin is same origin with - request's current URL's origin, return true.

        + request's current URL's origin and + request's tainted origin flag is not set, return true.

      10. Return false.

      From 3c486868fe1dfacbfefe88992856b106a80c9474 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Tue, 21 Sep 2021 14:29:42 +0200 Subject: [PATCH 12/16] Rebase over PolicyContainter --- fetch.bs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 367ba84e3..f40a6d08f 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1901,8 +1901,10 @@ source of security bugs. Please seek security review for features that deal with

    • If request's client is null, return true.

      -

    • If request's client's embedder policy - is not "credentialless", return true.

      +

    • If request's client's + policy container's + embedder policy is not + "credentialless", return true.

    • If request's origin is same origin with request's current URL's origin and From 89aaca1fdd377c5b10133cceb56a100ca618fd27 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 22 Sep 2021 13:41:13 +0200 Subject: [PATCH 13/16] Address annevk@ nits. --- fetch.bs | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/fetch.bs b/fetch.bs index f40a6d08f..192a74fe7 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1896,14 +1896,15 @@ source of security bugs. Please seek security review for features that deal with request request, run theses steps:

        -

      1. If request's mode is not no-cors", return +

      2. If request's mode is not no-cors", then return true.

      3. If request's client is null, return true.

      4. If request's client's policy container's - embedder policy is not + embedder policy's + value is not "credentialless", return true.

      5. If request's origin is same origin with @@ -3535,17 +3536,18 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

        If policy is null, switch on embedderPolicyValue:

        `unsafe-none` -
        Do nothing. +

        Do nothing.

        `credentialless` -
        Set policy to `same-origin` if one of the following is true: - +
        +

        Set policy to `same-origin` if one of the following is true: +

        `require-corp` -
        Set policy to `same-origin`. +

        Set policy to `same-origin`.

        6. @@ -4707,7 +4709,7 @@ steps. They return a response.

        is true; otherwise false.

      6. If Cross-Origin-Embedder-Policy allows credentials with request returns - false, set includeCredentials to false.

        + false, then set includeCredentials to false.

      7. Let contentLength be httpRequest's body's length, if httpRequest's body is non-null; From 63cbf5659bbf7d977e95eab0bf74ef082612b08a Mon Sep 17 00:00:00 2001 From: ArthurSonzogni Date: Tue, 2 Nov 2021 00:33:03 +0100 Subject: [PATCH 14/16] Address domenic comments. --- fetch.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fetch.bs b/fetch.bs index 192a74fe7..79fc8fb47 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1893,7 +1893,7 @@ source of security bugs. Please seek security review for features that deal with

      To check Cross-Origin-Embedder-Policy allows credentials, given a -request request, run theses steps: +request request, run these steps:

      1. If request's mode is not no-cors", then return @@ -3535,10 +3535,10 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

      2. If policy is null, switch on embedderPolicyValue:

        -
        `unsafe-none` +
        "unsafe-none"

        Do nothing. -

        `credentialless` +
        "credentialless"

        Set policy to `same-origin` if one of the following is true:

          @@ -3546,7 +3546,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or
        • forNavigation is true.
        -
        `require-corp` +
        "require-corp"

        Set policy to `same-origin`.

        3. @@ -4709,7 +4709,7 @@ steps. They return a response.

        is true; otherwise false.

      3. If Cross-Origin-Embedder-Policy allows credentials with request returns - false, then set includeCredentials to false.

        + false, then set includeCredentials to false.

      4. Let contentLength be httpRequest's body's length, if httpRequest's body is non-null; @@ -7889,7 +7889,7 @@ Arkadiusz Michalski, Arne Johannessen, Artem Skoretskiy, Arthur Barstow, -Arthur Sonzogni, , +Arthur Sonzogni, Asanka Herath, Axel Rauschmayer, Ben Kelly, From 3eb0723249e1452bb2769fafc663d0d1fb6b284b Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Tue, 2 Nov 2021 14:21:21 +0100 Subject: [PATCH 15/16] alotta nits --- fetch.bs | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/fetch.bs b/fetch.bs index 79fc8fb47..9fa890cd3 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1892,28 +1892,28 @@ source of security bugs. Please seek security review for features that deal with exclude fragment set to true.

      -

      To check Cross-Origin-Embedder-Policy allows credentials, given a +

      To check if Cross-Origin-Embedder-Policy allows credentials, given a request request, run these steps:

      1. If request's mode is not no-cors", then return true.

        -

      2. If request's client is null, return true.

        +

      3. If request's client is null, then return true.

      4. If request's client's policy container's - embedder policy's - value is not - "credentialless", return true.

        + embedder policy's value is not + "credentialless", then return true.

      5. If request's origin is same origin with request's current URL's origin and - request's tainted origin flag is not set, return true.

        + request's tainted origin flag is not set, then return true.

      6. Return false.

      +

      Responses

      The result of fetch is a @@ -1999,8 +1999,7 @@ initially unset. being provided to an API that didn't make a range request. See the flag's usage for a detailed description of the attack. -

      A response has an associated -request-include-credentials +

      A response has an associated request-includes-credentials (a boolean), which is initially true.

      A response has an associated @@ -3481,7 +3480,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

    • If the cross-origin resource policy internal check with origin, - "unsafe-none", response, and + "unsafe-none", response, and forNavigation returns blocked, then return blocked.

      This step is needed because we don't want to report violations not related to @@ -3516,7 +3515,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

      1. If forNavigation is true and embedderPolicyValue is - "unsafe-none", then return allowed. + "unsafe-none", then return allowed.

      2. Let policy be the result of getting @@ -3525,7 +3524,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or

        This means that `Cross-Origin-Resource-Policy: same-site, same-origin` ends up as allowed below as it will never match anything, as long as - embedderPolicyValue is "unsafe-none". + embedderPolicyValue is "unsafe-none". Two or more `Cross-Origin-Resource-Policy` headers will have the same effect. @@ -3533,20 +3532,22 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or `cross-origin`, then set policy to null.

      3. -

        If policy is null, switch on embedderPolicyValue:

        +

        If policy is null, then switch on embedderPolicyValue:

        +
        -
        "unsafe-none" +
        "unsafe-none"

        Do nothing. -

        "credentialless" +
        "credentialless"
        -

        Set policy to `same-origin` if one of the following is true: +

        Set policy to `same-origin` if: +

        -
        "require-corp" +
        "require-corp"

        Set policy to `same-origin`.

        4. @@ -5071,7 +5072,7 @@ steps. They return a response.

      4. If httpRequest's header list contains `Range`, then set response's range-requested flag. -

      5. Set response's request-include-credentials to +

      6. Set response's request-includes-credentials to includeCredentials.

      7. From 60a8cf147fd664d7448af02af09fb56e7164ed48 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 3 Nov 2021 08:53:42 +0100 Subject: [PATCH 16/16] one more nit --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 9fa890cd3..cf5bb58c1 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1896,7 +1896,7 @@ source of security bugs. Please seek security review for features that deal with request request, run these steps:
          -

        1. If request's mode is not no-cors", then return +

        2. If request's mode is not "no-cors", then return true.

        3. If request's client is null, then return true.