-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protocol-relative URL and permissions policy #40
Comments
@kevinkiklee @rowan-m FYI |
Hi @alois-bissuel, Thanks for filing this! I put together a quick demo with two iframes, one with an explicit URL as
In this demo, it seems that attribution-reporting is allowed in both. Tested in Chrome Beta and Canary. Would you confirm that you're also seeing this? I also checked if by any chance wikipedia.org had disallowed the feature, it doesn't seem to be the case, and it appears as allowed in the iframe even with a protocol-relative URL. |
+If it helps, I can also give you edit rights to that demo code, let me know! |
EDIT: To clarify, the behavior I observed is the same regardless of whether |
Thank you very much @maudnals for this hosted example. |
Nice to know, noted.
I was able to reproduce locally, but interestingly, only for Here's what I do app.get('/', (req, res) => {
const html =
`<html>` +
// IFRAME 0 - example.com with a protocol-relative URL (no www)
`src="//example.com/"<iframe src="//example.com/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 1 - example.com with a protocol-relative URL (with www)
`src="//www.example.com/"<iframe src="//www.example.com/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 2 - example.com with an HTTPS URL
`src="https://example.com/"<iframe src="https://example.com/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 3 - example.com with an HTTP URL
`src="http://example.com/"<iframe src="http://example.com/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 4 - wikipedia.org with a protocol-relative URL (no www)
`src="//wikipedia.org/" <iframe src="//wikipedia.org/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 5 - wikipedia.org with a protocol-relative URL (with www)
`src="//www.wikipedia.org/"<iframe src="//www.wikipedia.org/" allow="attribution-reporting" frameborder="1"></iframe><br/>` +
// IFRAME 6 - wikipedia.org with an HTTPS URL
`src="https://wikipedia.org/"<iframe src="https://wikipedia.org/" allow="attribution-reporting" frameborder="1"></iframe>` +
`</html>`;
res.send(html);
});
Observation:
|
Will try tomorrow with your exact same example. |
Observations:
This seems like a site-specific setting, something example.com and wikipedia do differently. Maybe HSTS or along these lines? Will investigate tomorrow. |
Indeed Two more observations:
|
To summarize what we've observed:In both Canary and Beta, in a site that includes an iframe that has
This happens regardless of whether 'src' is present in the policy. @alois-bissuel Please feel free to sanity-check what I've observed with the repro demos, and to share any observations from your side when you get a chance. Thank you! I'm not clear at this stage what causes this behavior and whether this works as intended, so if you're observing the same, I'll reach out to the feature team. |
@alois-bissuel The feature team is looking into this issue, will keep you posted. |
(Apologies for the delayed reply) Our Chrome Eng team has looked into it and it seems the issue has been found ⏤ I haven't had a chance to test, but let me paste here the reply:
|
@alois-bissuel Can you confirm? Now I understand your issue is broader, as in, anytime you embed an iframe that's redirected, you may face this problem. One way to mitigate this is to explicitly list the final destination of the redirect in the policy's src, but I don't know how realistic this is in practice. (Another example: let's take an HTTPS deployed site, that embeds an iframe that looks like this: <iframe src="https://wikipedia.org/" allow="attribution-reporting" frameborder="1">
See a repro here (IFRAME 7) https://shimmer-well-juravenator.glitch.me/) |
Thanks for the detailed conclusion, I will look at it again on Monday. |
Hello, Sorry for not following up on your previous conclusions @maudnals. I believe you nailed the issue and broadened its scope (ie that any redirect will break the permission policy system if we rely on the src shorthand). Thanks again for your thorough investigation ! |
Thanks @alois-bissuel! |
Closing for all the reasons highlighted by @maudnals. |
Hi,
I believe I have found a discrepancy in the way permissions policy are handled in an iFrame using a protocol-relative URL. I noticed that I could not allow the attribution reporting API in an iFrame whose source was a protocol-relative URL, if I did not specify the exact origin with the protocol.
According to what I found in the permissions policy explainer,
allow="attribution-reporting"
is in fact a short-hand forallow="attribution-reporting 'src'"
, where'src'
is a special keyword which resolves to the origin of the source of the iFrame.I believe that in the case of protocol-relative URL, the
'src'
keyword will not resolve to the absolute origin, and hence the attribution-reporting policy is not allowed.I am not sure this is exactly the right place for this question/report, so let me know if I should raise it somewhere more appropriate.
Thanks a lot!
Minimal working example
Create a local webserver which responds with
<html><body><h1><iframe src="//www.wikipedia.org/" allow="attribution-reporting" frameborder="1"></h1></body></html>
Attribution-reporting is not allowed in the wikipedia iFrame
Switching to a "protocol-absolute" URL (ie
src="https://www.wikipedia.org/"
) or specifying the resolved secure origin in the allow (ieallow="attribution-reporting https://www.wikipedia.org"
) will enable attribution-reporting.The text was updated successfully, but these errors were encountered: