Proposal: allow grouping permissions by year #481
Comments
|
I don't think this will work because what is supported per year will be user agent dependent (and unlikely to get agreement). It's also a bit of a footgun, because it doesn't actually tell you what is included per year. |
|
You can also use a generation or version number, but I also think it needs an easy way to „deny all“ for hardening headers. |
|
For reference, this kind of issue is typically solved by using a library/middleware which automatically inserts headers. Basically, the developer just installs a library like Helmet for NodeJS Express or Talisman for Flask, and then the library can make educated guesses regarding the desired headers. These libraries/middlewares can provide an option to disable all permissions by default and permit only specified exceptions. For example, Flask supports both Permissions-Policy and its predecessor Feature-Policy at the same time. This approach would have the least compatibility fallout because then each project explicitly decides when to upgrade its middleware dependency and is actually in control of its own headers. |
|
On Sun, Sep 04, 2022 at 02:34:22PM -0700, Anton Bershanskiy wrote:
For reference, this kind of issue is typically solved by using a library/middleware which automatically inserts headers.
This does not solve the issue of header bloat. Right now, the header is over 1kb and will only get larger with time.
…--
Seirdy (https://seirdy.one)
|
Is header bloat that big of a problem in practice? I believe that if the HTTP header remains the same within the entire HTTP/2 or HTTP/3 session, then the header will be sent only once and saved by the server, and then reused afterward. This article gives an example for HTTP/2. HTTP/1.1 does not explicitly support header compression, but it does support compressing the entire message, so headers are somewhat compressed too. |
|
On Mon, Sep 05, 2022 at 03:12:23PM -0700, Anton Bershanskiy wrote:
Is header bloat that big of a problem in practice? I believe that if the HTTP header remains the same within the entire HTTP/2 or HTTP/3 session, then the header will be sent only once and saved by the server, and then reused afterward.
HPACK and QPACK are optional features that not all browsers and clients support. libcurl, for instance, supports neither. Moreover, this also requires HTTP/2 and HTTP/3 support; a quick look through a typical access log for a public service should reveal that HTTP/1.1 responses are still quite common.
This only applies to repeat visits. Initial visits will still have significant header bloat, making it difficult to initiate a connection/download for all blocking resources in the first round-trip.
This only addresses the performance issues of header bloat, but there's also the secondary issue of complexity (e.g. requiring middleware). As this header will only get bigger every time a new sensitive feature is standardized, we need some sort of forwards-compatible mechanism to keep it under control. A biennial meeting to figure out the set of implemented directives seemed like the most obvious choice to me.
…--
Seirdy (https://seirdy.one)
|
|
Well,
|
|
Another aspect, a deny-list approach is generally frowned upon in the security community. Why start it here. Yes the web might be of open nature, thats why a single header "lock everything i will request the stuff i need" sounds like a good compromise (even when it has the problem to define what "everything" means :) |
|
Well, this is not a security feature. It's primarily a feature to delegate authority. It also allows imposing restrictions on oneself, but that is not the primary motivation. And safelisting would make it rather problematic to extend it going forward. E.g., it would make it hard-if-not-impossible to introduce a permission for |
|
One place where having a broad safelisting-based approach is when creating gateways to other systems such that their content is supposed be rendered at least to some degree but 1) it's potentially arbitrary and 2) you are comfortable occasionally breaking things that could be used for Bad Purposes™. I have the concern for (older-style, but that have to stick around) IPFS gateways. I could totally live with |
|
The problem is that we don't know who will build upon it and wether or not they will hold it correctly. |
@annevk I'm a browser "with the latest in header compression", fetching a web page. I race a TCP-based ALPN run against an HTTPS record lookup (Chromium's behavior). Either the HTTP/2 ALPN wins the race, or the HTTPS DNS record does not exist. Both are, and will remain, common scenarios. So I fetch the page over HTTP/2. This is the initial request; dynamic HPACK hasn't kicked in. I download a 1.56kb HTTP response header: Now, through I've burned 3.2kb on what may be a small page, for one header. Rendering hasn't started yet. Add headers this is meant to complement ( CSP had a good solution: grouping the fetch directives that existed at the time under POSSE note from https://seirdy.one/notes/2023/08/03/permissions-policy-header-bloat/ |
|
Just over a year later, a full invocation of the header that includes all Chromium permissions has grown from 1.56kb to 1.83kb: My point about gradual growth of this header is evidenced by the the history of the Chromium DevTools generated |
A comprehensive Permissions-Policy header to "opt out of everything":
Others have suggested an
allpermission; however, this isn't feasible because the meaning ofallwill change every time a new permission is added. Sites usingallwill not be forward-compatible.My proposal: combine all these into a special permission called
2022. In 2023, new permissions might crop up; they won't be included in the2022permission. At the end of 2023, a new permission called2023can be created that will include2022and all permissions added in 2023.The equivalent header content:
The text was updated successfully, but these errors were encountered: