-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address third-party-cookie blocking #2
Comments
I think you need to consider the partitioned origin case as well. For example, webkit "double keys" storage when origins are loaded as a 3rd party. Firefox also has some configurations which do the same thing. This is not as simple as blocking storage. For example, a hostile page could load its entire partitioned database into memory and then check to see if its promoted to first party status. If it is, then it shoves all its precious tracking data into the first party storage to be exfiltrated later. Of course, webkit has a similar issue with their "storage access API" which promotes storage to non-partitioned status without reloading. AFAICT their best answer to this issue of data cross boundaries is to hand wave "heuristics" as preventing promotion on these sites. Seems risky to me. There are other APIs affected by this kind of partitioning as well:
Its kind of unclear to me the implications of all this without a more concrete processing model to look at. |
I don't see how "check to see if its promoted to first party status. If it is, then it shoves all its precious tracking data into the first party storage to be exfiltrated later" could happen though. Scenario:
If the hostile page picked "Continue to operate under its unique origin", then it can't access or merge the data into its canonical origin storage. If the hostile page picked "Reload to work under its canonical origin", then the unique origin data is lost and can't be merged into its canonical origin storage. Am I missing something? |
I think this addresses my immediate concern, thanks. And I agree with the initial issue here that we can't do much if the first party is participating to funnel data out. Note, we do have the concept of an opaque unique origin, but I'm not sure if they can access storage or not. That can be implemented, though. |
Address issue #2: - Third party cookie blocking - Double keys storage
@wanderview @jyasskin Let me know if the PR resolves this issue. |
Tentatively closing. |
Sorry, I've had looking at this again on my todo list for the last week. The PR looks reasonable based on our above discussion. I did think of another possible privacy issue with restricted mode in browsers that double-key, though:
Also, what should happen in the various portal modes if there are outstanding network requests? For example, the hostile server keeps the connection to the tracking image open for a long time instead of allowing it to complete normally. Should these be canceled, allowed to complete in the 3rd party context, or allowed to complete in the new 1st party context? Finally, do you think browsers that do double-keying will be able to achieve the use cases desired here? It would seem if the portal site contains any kind of logged in information the promotion won't work as expected as content will need to change or the user will have to log back in, etc. Its probable I don't understand the use cases well enough, though. |
Would this network access be allowed in Isolated Mode? It says:
Does that mean that Signed Exchanges are required and all network access would fail? |
Hmm, maybe? I guess it would be nice to clarify it with an example if that is the case. I'm a little confused by the second bullet there:
Does that mean it could have a non-self-contained package that hits the same-origin server with a hashed resource? I guess it could use some clarification. As a side note, it might be nice to summarize the concrete restrictions in another document or another section. Its kind of hard to see the whole picture when they are intermixed through the explainer with design discussion. |
Just submitted #9, which I think is a related question and also could be clarified with more details about restrictions. |
@wanderview keeps reminding us to consider browsers that block third-party cookies, and we keep failing to do it. Here's my attempt for portals:
When a portal is promoted, that's a navigation, which is a point at which any first-party page can pass arbitrary data via query parameters or even a POST body to a third-party as that third-party is becoming a first-party. So, while the
<portal>
is a portal, browsers should block its access to cookies/storage in the same way they block any third-party (which resembles the https://github.com/KenjiBaheux/portals/blob/master/explainer.md#constraint-2 restrictions), but then if it gets promoted, it can gain access to its cookies/storage without needing any state it's built up as a<portal>
to be cleared. After all, with a cooperating first-party, it could pass that state up and then back to itself through the query parameters.@wanderview, is that convincing, or have I missed something?
The text was updated successfully, but these errors were encountered: