-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Control over document.domain
#241
Comments
/cc whatwg/security, @clelland. WDYT? |
Intent to Implement: TBD Explainer: w3c/webappsec-permissions-policy#241 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
This patch introduces the 'document-domain' policy-controlled feature, and updates the 'document.domain' setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a 'SecurityError'. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
Intent: TBD Explainer: w3c/webappsec-permissions-policy#241 Spec: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
I really like this, and throwing is probably the right thing to do, rather than letting script continue on the page blindly. That does mean that it will be possible to induce an exception in a frame by turning off the feature when it is embedded. (If we don't throw an exception here, then the site will almost certainly encounter one when it tries to access the other frame's contentDocument any way. Throwing here more clearly tells developers that setting domain is the behaviour which has been disabled) |
Intent: TBD Explainer: w3c/webappsec-permissions-policy#241 Spec: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530}
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
This change adds data for the `document-domain` Feature-Policy directive. See https://html.spec.whatwg.org/multipage/infrastructure.html#document-domain-feature See also whatwg/html@33b566f See also whatwg/html#4170 See also w3c/webappsec-permissions-policy#241
This can be closed I suppose, though maybe there should be a central registry of names? |
That sentiment is coming up more and more often. It's probably something we should start. |
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
I'm arriving a bit late to the party, but there is already a mechanism that disables the https://lists.w3.org/Archives/Public/public-whatwg-archive/2013Aug/0023.html Does the feature discussed here add something that the |
It's in the HTML spec, too -- just above the FP mechansism: https://html.spec.whatwg.org/#dom-document-domain Disabling the setter for sandboxed frames was, I think, the first thing that could reasonably be done; this extends that by allowing it for potentially any frame, sandboxed or not. Having the feature available in feature policy also means that you will also be able to declare it as the policy for an entire origin with Origin Policy eventually, and we'll be able to do complete process isolation of an entire origin, without needing to sandbox each frame. |
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
…ng `document.domain`., a=testonly Automatic update from web-platform-testsEnable Feature Policy control over setting `document.domain`. Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Ff6Ywg5vnh4/VbDH4X6wBQAJ Explainer: w3c/webappsec-permissions-policy#241 Spec PR: whatwg/html#4170 Bug: 904351 Change-Id: I14c0c3c871a01017f9c2bcbe8ed41c7b26782e71 Reviewed-on: https://chromium-review.googlesource.com/c/1329791 Commit-Queue: Mike West <mkwstchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Cr-Commit-Position: refs/heads/master{#607530} -- wpt-commits: 823de788415a8e17423cbce27ccb82211ebfbfd3 wpt-pr: 14020 UltraBlame original commit: 51587462b49ff958ce584efe88e2e3565a51dac5
A Problem
document.domain
is an unfortunate API that allows developers to relax the same-origin policy to enable direct access between two documents with identical registrable domains, even when their origins don't match.Among the security issues it directly and intentionally enables, this API also makes it difficult for browser vendors to implement origin-based process isolation (as opposed to site-based isolation), as it's impossible to know a priori whether or not the origin boundary will actually be respected.
A Proposal
We should add a feature to feature policy which causes the
document.domain
setter to throw (as @annevk noted in #23, we shouldn't forbid access to thedocument.domain
getter). We can initially enable this feature by default, and ratchet it down over time as we're able to drive usage down. This model seems like it'll be successful for sync XHR, and I hope it'll be applicable here as well.That is, in the presence of:
Feature-Policy: document-domain 'none'
The following code will throw a
SecurityError
:The text was updated successfully, but these errors were encountered: