Redact ancestorOrigins using iframe referrerpolicy#11560
Conversation
|
I think using the document's referrer is the wrong model. Because we don't care about the referrer of top-level example.com (how the user got to example.com, perhaps from search.example), we care about example.com's policy (or its |
|
I created a doc to work out how to specify this with the new model: https://docs.google.com/document/d/1TDryRMiw7sVKBfrvnzEQk0PzGQk7_G7ShF4Uy68MvSU/edit?usp=sharing Copy of the doc's current stateExample 1
Result: [“https://widget.example”, “null”] Example 2
Result: ??? AlgoHTML:
Referrer Policy: To get an origin if the referrer policy allows given an element or null container, a document doc, and a document innerDoc:
|
|
Doc updated. I've changed the algorithm to avoid exposing A's origin in the A->A->C case with the innermost iframe having Copy of the doc's current stateAlgorithmHTML:
Referrer Policy: To get an ancestor origin if the referrer policy allows given an Element container, a Document doc, and a Document innerDoc:
Note: Since mixed content checks prevent non-secure context documents in secure context documents, there’s no need to check secure context for “strict-origin”, "strict-origin-when-cross-origin", and “no-referrer-when-downgrade”. Polyfill + demohttps://software.hixie.ch/utilities/js/live-dom-viewer/saved/14030 Examplesiframe referrerpolicy=”no-referrer”
Child: Examples below are from w3c/webappsec-referrer-policy#77 (comment) top -> sandboxed iframe -> 3rd party iframe (ad)
Grandchild: {1, a.com} default referrer policy -> loads {2, b.com} with noreferrer attribute on the iframe tag that's loading b.com -> loads {3, a.com}
Grandchild: {1, a.com} default referrer policy -> loads {2, b.com} with noreferrer attribute on the iframe tag inside {2} -> loads {3, a.com}
Grandchild: {1, a.com} default referrer policy -> loads {2, a.com} with noreferrer attribute on the iframe tag inside {2} -> loads {3, c.com}
Grandchild: {1, a.com} default referrer policy -> loads {2, b.com} with default referrer policy -> loads {3, b.com} with noreferrer attribute on the iframe tag inside {3} -> loads {4, a.com}
Grandgrandchild: |
|
After discussing with @farre we found out that reading the |
This was not correct, the spec computes the ancestor origins list when the
https://html.spec.whatwg.org/#concept-location-ancestor-origins-list
https://html.spec.whatwg.org/#the-location-interface So no need to store Copy of the doc's current stateAlgorithmA Location object has an associated ancestor origin objects list. When a Location object is created, its ancestor origins list must be set to the list of origins that the following steps would produce:
Note: Since mixed content checks prevent non-secure context documents in secure context documents, there’s no need to check secure context for “strict-origin”, "strict-origin-when-cross-origin", and “no-referrer-when-downgrade”. A Location object has an associated ancestor origins list. When a Location object is created, its ancestor origins list must be set to a DOMStringList object whose associated list is the list of strings the following steps would produce:
Polyfill + demohttps://software.hixie.ch/utilities/js/live-dom-viewer/saved/14047 Examplesiframe referrerpolicy=”no-referrer”
Child: ["null"] {1, a.com} default referrer policy -> loads {2, b.com} -> loads {3, a.com}
Grandchild: ["https://b.com","https://a.com"\] Examples below are from w3c/webappsec-referrer-policy#77 (comment) top -> sandboxed iframe -> 3rd party iframe (ad)
Grandchild: ["null","https://a.com"\] {1, a.com} default referrer policy -> loads {2, b.com} with noreferrer attribute on the iframe tag that's loading b.com -> loads {3, a.com}
Grandchild: ["https://b.com","null"\] {1, a.com} default referrer policy -> loads {2, b.com} with noreferrer attribute on the iframe tag inside {2} -> loads {3, a.com}
Grandchild: ["null","https://a.com"\] {1, a.com} default referrer policy -> loads {2, a.com} with noreferrer attribute on the iframe tag inside {2} -> loads {3, c.com}
Grandchild: ["null","null"] {1, a.com} default referrer policy -> loads {2, b.com} with default referrer policy -> loads {3, b.com} with noreferrer attribute on the iframe tag inside {3} -> loads {4, a.com}
Grandgrandchild: ["null","null","https://a.com"\] TODOs |
|
I've updated this PR, the algorithm should be the same as in the doc. |
This implements this attribute on Location and also adheres to the changes to the spec introduced in whatwg/html#11560 Due to the tentative nature of the spec, and details still being hashed out, this PR is subject to minor changes.
This follows the current revamping of the spec found at whatwg/html#11560 and will change with it, potentially.
|
I wrote a summary of what this change does in the OP. (To be used in the commit message when squashing.) |
|
cc @domfarolino |
|
Before I forget: we need to patch https://w3c.github.io/ServiceWorker/#client-ancestororigins at the same time. |
3c5e61f to
0004ccb
Compare
|
@annevk as far as I can tell, the call sites for Create Window Client use a |
|
What is the reason for using the referrer policy instead of a new attribute / header? Are we not concerned that this would lead to situations where one of the two features is required, making it impossible for sites to opt out of the other? |
This implements this attribute on Location and also adheres to the changes to the spec introduced in whatwg/html#11560 Due to the tentative nature of the spec, and details still being hashed out, this PR is subject to minor changes.
This follows the current revamping of the spec found at whatwg/html#11560 and will change with it, potentially.
|
So I've noticed a "bug" in the spec, or at least what we're expecting with one of the tests (and possibly others), while implementing this in Gecko (referenced commit in this convo).
In this example, A1->B1->A2, where I don't know how we could even "turn the feature back on", with this approach as intended in that test, as empty string != default on, right? |
I think because it's similar enough to be used and because if a page uses referrer policy to hide itself from another document,
When would sites want to hide only one? |
This implements this attribute on Location and also adheres to the changes to the spec introduced in whatwg/html#11560 Tentative tests are also added in this patch. Differential Revision: https://phabricator.services.mozilla.com/D273393 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1085214 gecko-commit: 626bfdb90f3e1a0f78c6a6e832697520396e66bf gecko-reviewers: necko-reviewers, webidl, dom-core, smaug, jesup, zcorpan
This implements this attribute on Location and also adheres to the changes to the spec introduced in whatwg/html#11560 Tentative tests are also added in this patch. Differential Revision: https://phabricator.services.mozilla.com/D273393 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1085214 gecko-commit: f3415e1670266a11917af7fff4ba14afde5d7ca5 gecko-reviewers: necko-reviewers, webidl, dom-core, smaug, jesup, zcorpan, devtools-reviewers, nchevobbe
| <var>output</var>.</p></li> | ||
|
|
||
| <li><p>Otherwise, <span data-x="list append">append</span> <var>ancestorOrigin</var> to | ||
| <var>output</var> and set <var>masked</var> to false.</p></li> |
There was a problem hiding this comment.
This seems surprising. Can't the further ancestor be cross-origin with both parent and self? I guess the idea is that it's already an opaque origin in that case?
There was a problem hiding this comment.
It can be, and it's intended to expose the further ancestor's origin in that case (see #11560 (comment) ) unless it opted to hide its origin.
This aligns `ancestorOrigins` exposure with referrer policy when using the `iframe referrerpolicy` attribute, so an embedder can prevent revealing its own origin to embedded documents. If an `<iframe>` uses `referrerpolicy="no-referrer"` or `same-origin` (and the parent and child are cross-origin), the parent’s origin and any same-origin ancestors are replaced with opaque origins (until reaching an ancestor that is cross-origin). Other policies continue to expose full origins. This approach keeps existing behavior by default (for web compat) while addressing privacy concerns with an opt-out. The algorithm reuses the parent's existing list of ancestor origins, avoiding synchronous cross-process lookups and ensuring a stable snapshot even if ancestors mutate their `referrerpolicy` attributes later. Fixes #1918. Closes #2480.
6a302f4 to
2568667
Compare
|
Rebased and resolved conflicts (from #12071 ). |
annevk
left a comment
There was a problem hiding this comment.
This looks okay to me, but I'd like to see some of the slightly confusing cases better clarified.
|
|
||
| <p class="note">Since <span>mixed content</span> checks prevent <span>non-secure context</span> | ||
| <span data-x="environment">environments</span> in <span>secure context</span> <span | ||
| data-x="environment">environments</span>, there's no need to check <span>secure context</span> |
There was a problem hiding this comment.
secure contexts?
(There was a proposal btw to allow non-secure contexts inside secure contexts...)
annevk
left a comment
There was a problem hiding this comment.
Very nice. I think one case we could improve a little bit by using an early continue. That way the branching is less deep and less duplicated.
…storOrigins with iframe referrerpolicy, a=testonly Automatic update from web-platform-tests [service-workers] Test WindowClient ancestorOrigins with iframe referrerpolicy See whatwg/html#11560 -- wpt-commits: 60cd2c1605e452c62db05f93873cc7a148fa6093 wpt-pr: 56616
…storOrigins with iframe referrerpolicy, a=testonly Automatic update from web-platform-tests [service-workers] Test WindowClient ancestorOrigins with iframe referrerpolicy See whatwg/html#11560 -- wpt-commits: 60cd2c1605e452c62db05f93873cc7a148fa6093 wpt-pr: 56616 UltraBlame original commit: a3f6b619cfa40bfea66b1b03c72b13d326f1ba27
…storOrigins with iframe referrerpolicy, a=testonly Automatic update from web-platform-tests [service-workers] Test WindowClient ancestorOrigins with iframe referrerpolicy See whatwg/html#11560 -- wpt-commits: 60cd2c1605e452c62db05f93873cc7a148fa6093 wpt-pr: 56616 UltraBlame original commit: a3f6b619cfa40bfea66b1b03c72b13d326f1ba27
…storOrigins with iframe referrerpolicy, a=testonly Automatic update from web-platform-tests [service-workers] Test WindowClient ancestorOrigins with iframe referrerpolicy See whatwg/html#11560 -- wpt-commits: 60cd2c1605e452c62db05f93873cc7a148fa6093 wpt-pr: 56616 UltraBlame original commit: a3f6b619cfa40bfea66b1b03c72b13d326f1ba27
This aligns
ancestorOriginsexposure with referrer policy when using theiframe referrerpolicyattribute, so an embedder can prevent revealing its own origin to embedded documents. If an<iframe>usesreferrerpolicy="no-referrer"orsame-origin(and the parent and child are cross-origin), the parent’s origin and any same-origin ancestors are replaced with opaque origins (until reaching an ancestor that is cross-origin). Other policies continue to expose full origins.This approach keeps existing behavior by default (for web compat) while addressing privacy concerns with an opt-out.
The algorithm reuses the parent's existing list of ancestor origins, avoiding synchronous cross-process lookups and ensuring a stable snapshot even if ancestors mutate their
referrerpolicyattributes later.Fixes #1918. Closes #2480.
(See WHATWG Working Mode: Changes for more details.)
/browsers.html ( diff )
/browsing-the-web.html ( diff )
/document-lifecycle.html ( diff )
/document-sequences.html ( diff )
/dom.html ( diff )
/iframe-embed-object.html ( diff )
/index.html ( diff )
/infrastructure.html ( diff )
/nav-history-apis.html ( diff )