Wildcards in Permissions Policy Origins #765
Comments
arichiv
added
Progress: untriaged
Review type: CG early review
|
Does this provide an easy, dangerous mistake for web developers? Currently, the developer has to delegate the origins specifically: I might decide I want this particular feature to be accessible at That is, in your questionnaire answers, you repeatedly note that this isn't creating any new capabilities. But is it encouraging accidental expansion of a capability to potentially many different origins? Does this change introduce a new dependency on the PSL? What happens if the PSL is out of date or a site is accidentally included/not included? |
|
It's true that a developer might be encouraged by this new feature to allow I was planning to depend on the PSL by referencing this language. As the permissions policy directives aren't cached beyond the lifetime of the page load, if the list is out of date it could result in sites being delegated (or not being delegated) permissions. If an invalid target is detected in the list that target would be ignored without throwing away the rest of the targets (i.e., |
|
I have a few questions about matching: Also, to avoid only opening everything, would it be possible to have negative matches? |
Yes
No, you can only ever have one wildcard and it must have a
We want to keep this first foray into wildcards to the minimum feature set to support the use case (CDNs with hundreds of subdomains). In the future, more flexible matching (like what's supported in the Content Security Policy) might be added, and later down the line support for negation could then be considered in both spots. It's a lot easier to expand the syntax if we need more later than to shrink it if we over-extend now. |
|
We discussed this issue today in our call and came to the conclusion that a way to mitigate the "all on or all off" effect of the wildcard as currently defined. Something as simple as possible, like allowing only one partial match (but we let you discuss what could be an acceptable solution) would be good to avoid people using it too broadly "to make it work". |
|
I'm not sure I understand. It doesn't look like the minutes have been published yet, but I can read the notes from the 10/10 meeting when they're available. |
torgo
added
the
Progress: pending external feedback
|
@arichiv did you have time to read our feedback? Any plan on working on it? |
|
Yes! Sorry for the delay, I hope to get to the expansions proposed Q1 2023. |
|
Ok thanks for letting us know. Please let us know updates when you can. |
|
There has been a further expansion of this proposal. Specifically: Subdomain wildcards in allowlists provided some valuable flexibility, but differed from existing wildcard parsers and required novel code and spec work. This intent will reduce that overhead by reusing parts of the existing Content Security Policy spec and permitting ‘scheme + wildcard domain’ and ‘wildcard port’ in the allowlist. Specifically, this intent would adopt the definition of host-source and scheme-source instead of origin in the Allowlist definition while requiring that the path-part is empty (as Permissions Policies apply to matching origins). This would change three things from the prior wildcard implementation (all of which expand the range of allowed wildcards and none of which add new restrictions): (1) Removing the eTLD+1 requirement for subdomain wildcards (2) Allowing scheme restrictions on wildcard domains. (3) Allowing port wildcards. |
|
Thank you for the update! We've reviewed the latest changes and they look good. We've also noted the positive developments on multi-stakeholder support on the Mozilla and Webkit standards positions threads. Despite the fact that we would like to see intersections in matching, the fact that is now consistent with CSP is good. We're happy to see this move forward and on that basis we're going to close this review. |
torgo
added
Resolution: satisfied
Wotcher TAG!
I'm requesting a TAG review of Wildcards in Permissions Policy Origins.
INITIAL PROPOSAL
The Permissions Policy specification “defines a mechanism that allows developers to selectively enable and disable use of various browser features and APIs.” One capability of this mechanism allows features to be enabled only on explicitly enumerated origins (e.g., https://foo.com/). This mechanism is not flexible enough for the design of some CDNs, which deliver content via an origin that might be hosted on one of several hundred possible subdomains.
This feature will add support for wildcard in permissions policy structured like SCHEME://*.HOST:PORT (e.g., https://*.foo.com/) where a valid Origin could be constructed from SCHEME://HOST:PORT (e.g., https://foo.com/). This requires that HOST is at least eTLD+1 (a registrable domain). This means that https://*.bar.foo.com/ works but https://*.com/ won’t (if you want to allow all domains to use the feature, you should just delegate to *). Wildcards in the scheme and port section will be unsupported and https://*.foo.com/ does not delegate to https://foo.com/.
Before, a permissions policy might need to look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://cdn1.foo.com" "https://cdn2.foo.com" "https://foo.cdn2.foo.com/")
With this feature, it could look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://*.foo.com")
EXPANDED PROPOSAL
Subdomain wildcards in allowlists provided some valuable flexibility, but differed from existing wildcard parsers and required novel code and spec work. This intent will reduce that overhead by reusing parts of the existing Content Security Policy spec and permitting ‘scheme + wildcard domain’ and ‘wildcard port’ in the allowlist.
Specifically, this intent would adopt the definition of host-source and scheme-source instead of origin in the Allowlist definition while requiring that the path-part is empty (as Permissions Policies apply to matching origins). This would change three things from the prior wildcard implementation (all of which expand the range of allowed wildcards and none of which add new restrictions):
(1) Removing the eTLD+1 requirement for subdomain wildcards
Previously, you could not have a subdomain wildcard like “https://.com” but could have one like “https://.example.com”.
Now, you can have subdomain wildcards both like “https://.com” and “https://.example.com”.
(2) Allowing scheme restrictions on wildcard domains.
Previously, you could allow “” but not restrict to a specific scheme like “https://” or “https:”.
Now, you can still allow “” but have the option of delegating to just a specific scheme like “https://” or “https:” (the behavior of these is identical).
(3) Allowing port wildcards.
Previously you could delegate to the default https port like “https://example.com” or “https://example.com:443” (the behavior of these is identical), but there was no way to explicitly delegate to all ports like “https://example.com:*”.
Now, you can still delegate to “https://example.com” or “https://example.com:443” but delegation is also permitted to a wildcard port like “https://example.com:*”.
Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
Security and Privacy questionnaire for TAG
The text was updated successfully, but these errors were encountered: