Sec-Fetch-User is not detailed enough #23

annevk · 2019-03-26T09:47:26Z

E.g., if I change the src of an <img> element in response to a click, does that count? What if I invoked fetch() instead? (Note that in case of the latter putting state on requests isn't the way to go.)

The text was updated successfully, but these errors were encountered:

mikewest · 2019-03-26T11:46:00Z

Indeed. It's quite hand-wavy at the moment. The requests I care most about are navigational requests, and the approach sketched out in the spec assumes that we'd check the user activation status in HTML's navigation algorithm, and pass it on to Fetch.

For subresource requests, the implementation behind a flag in Chrome is currently hard-coded to ?F, as we hadn't made a decision about whether it would be useful enough on the server side to expose whether or not the user agent thought that the request was triggered by user activation. If it turns out to be useful, I expect our implementation would rely upon LocalFrame::HasTransientUserActivation, which is being reimplemented on top of https://github.com/mustaqahmed/user-activation-v2.

In the spec, I expect we'd continue to rely on triggered by user activation, but we'd need to examine it explicitly in every case where we construct a request object (as I expect it would be unreasonable to blindly apply that test from inside Fetch).

/cc @arturjanc, as we've talked about this a little bit in the past.

arturjanc · 2019-03-27T10:08:31Z

As a bit of a tangent: after Chrome implements Sec-Fetch-Site: none we're going to gather data about the number of cross-site navigations that don't set Sec-Fetch-User: ?T and review what causes them. Depending on how frequently this happens, we'll have an idea about the cases where it's tractable to block/redirect requests without a user-activation (to protect against some XS-Search attacks).

This patch: * Locks `Sec-Fetch-User` to navigation requests. * Drops the header when it's `false`. * Sketches out monkeypatches to Fetch and HTML in a little more detail so that we can have a more focused discussion around the integration points we'll want in the future. Fixes #19. Partially addresses #23.

mikewest · 2019-03-29T09:20:37Z

In 79938e0, I've locked the header to navigation requests (in https://mikewest.github.io/sec-metadata/#sec-fetch-user-header), and done a little work to explain the integration between Fetch and HTML in (https://mikewest.github.io/sec-metadata/#fetch-integration).

Do those look like patches you'd consider accepting against those documents, @annevk?

annevk · 2019-03-29T11:11:31Z

That is probably reasonable, yes. Assuming navigate hasn't gone in parallel by the time you do the "triggered by user activation" check.

As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3

mikewest · 2019-03-29T12:24:31Z

Ok. Tests are being updated in https://chromium-review.googlesource.com/c/chromium/src/+/1545871 (WPT: web-platform-tests/wpt#16148). I'll close this out once that lands, and punt the subresource discussion to #26.

As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3

As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}

mikewest · 2019-04-01T10:11:05Z

web-platform-tests/wpt#16148 was merged over the weekend.

…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148

As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}

…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <alexmoschromium.org> Commit-Queue: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148 UltraBlame original commit: 595f9f3aa36e9e4e5c8f120d7349c2965613814d

mikewest added the bug Something isn't working label Mar 27, 2019

mikewest mentioned this issue Mar 29, 2019

Sec-Fetch-User for subresource requets? #26

Open

chromium-wpt-export-bot mentioned this issue Mar 29, 2019

Send Sec-Fetch-User only for user-activated, navigational requests. web-platform-tests/wpt#16148

Merged

mikewest closed this as completed Apr 1, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sec-Fetch-User is not detailed enough #23

Sec-Fetch-User is not detailed enough #23

annevk commented Mar 26, 2019

mikewest commented Mar 26, 2019

arturjanc commented Mar 27, 2019

mikewest commented Mar 29, 2019 •

edited

Loading

annevk commented Mar 29, 2019

mikewest commented Mar 29, 2019

mikewest commented Apr 1, 2019

Sec-Fetch-User is not detailed enough #23

Sec-Fetch-User is not detailed enough #23

Comments

annevk commented Mar 26, 2019

mikewest commented Mar 26, 2019

arturjanc commented Mar 27, 2019

mikewest commented Mar 29, 2019 • edited Loading

annevk commented Mar 29, 2019

mikewest commented Mar 29, 2019

mikewest commented Apr 1, 2019

mikewest commented Mar 29, 2019 •

edited

Loading