New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
<iframe sandbox srcdoc="foo"> on a secure page should be secure #5
Comments
I'm fairly certain this is already dealt with via the The case that's more interesting is when we're secure because we're
|
What is a data or javascript origin? There's no such thing. |
Indeed. I should have just copy/pasted from the note: "The origin of |
For data URLs at least Fetch does set HTTPS state on the response based on who initiated the fetch. So something seems amiss. |
I see. That's a mismatch between Chrome and Fetch, then. We've traditionally had problems identifying "who identified the fetch" when it comes to |
Ah, that's why that check is there. OK.
Yes.
It's not. That skipping makes a descendant of a srcdoc document ignore it for purposes of this stuff, but still leaves an
It's an informative note. It's helpful for understanding intent, but the normative language is what needs to define the actual behavior. Right now nothing normative says anything about what happens with opaque identifier origins; the relevant algorithms pretend they don't exist. Again, see #4. |
Let's assume I deal with #4 in some stunningly intelligent way. In this case, I'd like the following to happen:
I'll go write something up for #4 in the hopes of making these statements true. |
834f9f4 should take care of the bits in 1 above. I think it's accurate, but I'd appreciate feedback as to whether it addresses your concerns. |
There's also the case of the top-level document being sandboxed but loaded from a URI has a unique identifier origin, no? Most simply consider a sandboxed https:// page doing a |
Looks good to me. |
The current algorithm would consider it trustworthy if it was created by an Chrome would consider that new window untrustworthy, basically because Chrome doesn't like data URLs. Even if we did consider it trustworthy, Chrome wouldn't support many interesting features in the |
Ah, ok. It seems like that's the consistent thing to do to me, by the way: any time an origin would normally be aliased per spec, even if such aliasing is prevented by sandboxing, the HTTPS state should be copied. That would completely close up all the edge cases I can think of, as well as any future issues if new origin-sharing things are added. |
The patch which added HTTPS state to HTML should have covered all the cases in which new browsing contexts inherit details from their creator, and I believe that Anne has similarly covered all the right places in Fetch (see the first few items in https://fetch.spec.whatwg.org/#concept-basic-fetch, for example). I'd love it if you'd spot-check specific instances that come to mind to verify that we've gotten things right. |
Ah, I had missed the HTTPS state stuff in Fetch. I clearly need to read that spec again. I did just spot-check things, and I have two issues:
Ideally both would be defined in the same place so it was clear how things work.
Say I load an http:// page which is same-origin with me in browsing context On the other hand, origin inheritance as defined in HTML, at least for the data: case, uses the incumbent settings object when the "navigate" algorithm is invoked. I expect about:blank will be defined similarly. This means that the origin inherited is that of the page I think that these are basically the same problem: we want to make sure that any time we inherit an origin from a settings object we also inherit the HTTPS state from the same settings object. Ideally in as obvious a way as possible (i.e. in the same exact spec, at the same exact place, where we just have one settings object we grab both pieces of information from). @annevk, can we get there? |
Oh, and all this stuff obviously needs tests. Lots and lots of tests. |
Yeah, I think it's not just origin and HTTPS state, but also CSP policy, document's URL (maybe not always), and some other things. We should definitely try to get to a place where that is a single sane thing. Not sure about the timeframe though. Untangling HTML is hard. |
I wonder if we can just use the origin's scheme in that case and do away with all the spec text about how to propagate HTTPS state. |
No, because that fails for things that are sandboxed. We want to propagate HTTPS state any time we would have inherited origin, even if we're not due to sandboxing. |
I think modulo whatwg/html#255 and whatwg/html#856 all the issues and scenarios raised here work or have been fixed. Can we close this or are there outstanding issues or work to do? |
No, I also agree that those bugs cover the work necessary, and that once they're resolved, Secure Contexts will be doing the right thing. |
This may not end up being an issue depending on how #4 is resolved, but chances are it will be.
The intent of this spec is that on https://foo
<iframe sandbox src="https://foo">
be considered secure. But then<iframe sandbox srcdoc="whatever">
should also be considered secure.And chances are, so should
<iframe sandbox src="data:stuff">
and probably<iframe src="data:stuff">
, right?The text was updated successfully, but these errors were encountered: