Proposal: Control over document.domain
#241
Labels
Comments
|
/cc whatwg/security, @clelland. WDYT? |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 12, 2018
Intent to Implement: TBD Explainer: w3c/webappsec-permissions-policy#241 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
mikewest
added a commit
to whatwg/html
that referenced
this issue
Nov 12, 2018
This patch introduces the 'document-domain' policy-controlled feature, and updates the 'document.domain' setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a 'SecurityError'. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 12, 2018
Intent: TBD Explainer: w3c/webappsec-permissions-policy#241 Spec: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
|
I really like this, and throwing is probably the right thing to do, rather than letting script continue on the page blindly. That does mean that it will be possible to induce an exception in a frame by turning off the feature when it is embedded. (If we don't throw an exception here, then the site will almost certainly encounter one when it tries to access the other frame's contentDocument any way. Throwing here more clearly tells developers that setting domain is the behaviour which has been disabled) |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 13, 2018
Intent: TBD Explainer: w3c/webappsec-permissions-policy#241 Spec: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 13, 2018
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
aarongable
pushed a commit
to chromium/chromium
that referenced
this issue
Nov 13, 2018
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 13, 2018
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 13, 2018
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
domenic
pushed a commit
to whatwg/html
that referenced
this issue
Nov 14, 2018
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
sideshowbarker
added a commit
to w3c/browser-compat-data
that referenced
this issue
Nov 14, 2018
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
sideshowbarker
added a commit
to w3c/browser-compat-data
that referenced
this issue
Nov 14, 2018
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
chrisdavidmills
pushed a commit
to mdn/browser-compat-data
that referenced
this issue
Nov 14, 2018
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
|
This can be closed I suppose, though maybe there should be a central registry of names? |
|
That sentiment is coming up more and more often. It's probably something we should start. |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Nov 19, 2018
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020
mustaqahmed
pushed a commit
to mustaqahmed/html
that referenced
this issue
Feb 15, 2019
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
mustaqahmed
pushed a commit
to mustaqahmed/html
that referenced
this issue
Feb 15, 2019
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
|
I'm arriving a bit late to the party, but there is already a mechanism that disables the https://lists.w3.org/Archives/Public/public-whatwg-archive/2013Aug/0023.html Does the feature discussed here add something that the |
|
It's in the HTML spec, too -- just above the FP mechansism: https://html.spec.whatwg.org/#dom-document-domain Disabling the setter for sandboxed frames was, I think, the first thing that could reasonably be done; this extends that by allowing it for potentially any frame, sandboxed or not. Having the feature available in feature policy also means that you will also be able to declare it as the policy for an entire origin with Origin Policy eventually, and we'll be able to do complete process isolation of an entire origin, without needing to sandbox each frame. |
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Oct 3, 2019
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Oct 3, 2019
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Oct 3, 2019
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A Problem
document.domainis an unfortunate API that allows developers to relax the same-origin policy to enable direct access between two documents with identical registrable domains, even when their origins don't match.Among the security issues it directly and intentionally enables, this API also makes it difficult for browser vendors to implement origin-based process isolation (as opposed to site-based isolation), as it's impossible to know a priori whether or not the origin boundary will actually be respected.
A Proposal
We should add a feature to feature policy which causes the
document.domainsetter to throw (as @annevk noted in #23, we shouldn't forbid access to thedocument.domaingetter). We can initially enable this feature by default, and ratchet it down over time as we're able to drive usage down. This model seems like it'll be successful for sync XHR, and I hope it'll be applicable here as well.That is, in the presence of:
Feature-Policy: document-domain 'none'The following code will throw a
SecurityError:The text was updated successfully, but these errors were encountered: