Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcards in Permissions Policy Origins #51

Closed
arichiv opened this issue Aug 26, 2022 · 8 comments
Closed

Wildcards in Permissions Policy Origins #51

arichiv opened this issue Aug 26, 2022 · 8 comments
Assignees
@johnwilander @marcoscaceres @annevk
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)

Comments

@arichiv
Copy link

arichiv commented Aug 26, 2022
edited by annevk
Loading

Request for position on an emerging web specification

Information about the spec

Design reviews and vendor positions

Bugs tracking this feature

Anything else we need to know

Design Doc

This feature will add support for wildcard in permissions policy structured like SCHEME://*.HOST:PORT (e.g., https://*.foo.com/) where a valid Origin could be constructed from SCHEME://HOST:PORT (e.g., https://foo.com/). This requires that HOST is at least eTLD+1 (a registrable domain). This means that https://*.bar.foo.com/ works but https://*.com/ won’t (if you want to allow all domains to use the feature, you should just delegate to *). Wildcards in the scheme and port section will be unsupported and https://*.foo.com/ does not delegate to https://foo.com/.

Before, a permissions policy might need to look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://cdn1.foo.com" "https://cdn2.foo.com" "https://foo.cdn2.foo.com")

With this feature, it could look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://*.foo.com")
This was referenced Aug 26, 2022
Closed
Closed
@othermaciej othermaciej added venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec) topic: security from: Google Proposed, edited, or co-edited by Google. labels Sep 25, 2022
@annevk
Copy link
Contributor

annevk commented Sep 26, 2022

At TPAC I gave the feedback that this should reuse the CSP parser (it could still be more restrictive than CSP, but we should try to limit the number of parsers we have around this space). Overall this seems reasonable to me, although it may lead to inadvertent delegation to an origin that the corresponding site is not in control over (e.g., the webmail endpoint or some such).

@arichiv
Copy link
Author

arichiv commented Sep 26, 2022

Would you be okay with setting parser re-use as a goal after initial implementation, but before any future extensions are made? Specifically, as far as spec modification goes.

@arichiv arichiv mentioned this issue Mar 14, 2023
Open
@arichiv
Copy link
Author

arichiv commented Mar 14, 2023

There is a new expansion of this proposal, specifically:

Subdomain wildcards in allowlists provided some valuable flexibility, but differed from existing wildcard parsers and required novel code and spec work. This intent will reduce that overhead by reusing parts of the existing Content Security Policy spec and permitting ‘scheme + wildcard domain’ and ‘wildcard port’ in the allowlist.

Specifically, this intent would adopt the definition of host-source and scheme-source instead of origin in the Allowlist definition while requiring that the path-part is empty (as Permissions Policies apply to matching origins). This would change three things from the prior wildcard implementation (all of which expand the range of allowed wildcards and none of which add new restrictions):

(1) Removing the eTLD+1 requirement for subdomain wildcards
Previously, you could not have a subdomain wildcard like “https://*.com” but could have one like “https://*.example.com”.
Now, you can have subdomain wildcards both like “https://*.com” and “https://*.example.com”.

(2) Allowing scheme restrictions on wildcard domains.
Previously, you could allow “*” but not restrict to a specific scheme like “https://*” or “https:”.
Now, you can still allow “*” but have the option of delegating to just a specific scheme like “https://*” or “https:” (the behavior of these is identical).

(3) Allowing port wildcards.
Previously you could delegate to the default https port like “https://example.com” or “https://example.com:443” (the behavior of these is identical), but there was no way to explicitly delegate to all ports like “https://example.com:\*”.
Now, you can still delegate to “https://example.com” or “https://example.com:443” but delegation is also permitted to a wildcard port like “https://example.com:\*”.

@annevk
Copy link
Contributor

annevk commented Mar 15, 2023

Thanks for the update! Is there any progress on layering this correctly?

FWIW, I found some substantive issues in CSP looking at how this matching is defined there:

@hober hober moved this from Unscreened to Needs position in Standards Positions Review Backlog Mar 23, 2023
@hober hober moved this from Needs position to Needs assignees in Standards Positions Review Backlog Mar 27, 2023
@hober hober moved this from Needs assignees to Needs position in Standards Positions Review Backlog Mar 27, 2023
@marcoscaceres marcoscaceres self-assigned this Mar 31, 2023
@marcoscaceres marcoscaceres added the concerns: integration Can't be used w/ other web platform features (or unclear what happens if used together) label Apr 3, 2023
@marcoscaceres
Copy link
Contributor

Add integration concerns because of #51 (comment)

@arichiv we discussed this internally and we'd really like to see more movement on the layering issues @annevk filed #51 (comment) before we are confident about reaching a position. That will also give us more confidence about maintenance.

@annevk annevk added the blocked Coming to a position is blocked on issues identified with the spec or proposal. label Apr 3, 2023
@arichiv
Copy link
Author

arichiv commented Jun 9, 2023

The spec change landed: w3c/webappsec-permissions-policy#516

And 2/3 of the CSP issues highlighted by @annevk have been addressed.

As I pursue chrome launch are there any objections from WebKit we should be aware of?

@annevk annevk removed blocked Coming to a position is blocked on issues identified with the spec or proposal. concerns: integration Can't be used w/ other web platform features (or unclear what happens if used together) labels Jun 16, 2023
@annevk
Copy link
Contributor

annevk commented Jun 16, 2023

Thank you for the substantial progress you made on this @arichiv across both specifications! I filed a couple follow-up issues, but by-and-large this looks good now (CSP needing improvements notwithstanding). As this is now layered on top of CSP I suggest we resolve this as "position: support" one week from now.

@hober hober moved this from Needs position to Done in Standards Positions Review Backlog Oct 17, 2023
@hober
Copy link
Member

hober commented Oct 17, 2023

It's been a bit longer than a week. :)

@hober hober closed this as completed Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnwilander johnwilander

@marcoscaceres marcoscaceres

@annevk annevk

Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: security venue: W3C Web Application Security WG Proposal is being reviewed in the W3C's Web Application Security WG (aka WebAppSec)
Projects
Standards Positions Review Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
6 participants
@hober @arichiv @johnwilander @marcoscaceres @othermaciej @annevk