-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow future extensions to the API without breaking compatibility #241
Comments
/ cc @jonathanKingston @otherdaniel @xtofian from previous discussions. |
The problem is that it fails open. True, but: I don't see how we can be future-proof without some degree of "fail-open". Would it make sense to distinguish between "fail-open" for existing sink types (which is IMHO undesired), and "fail-open" for future sink-types that the current code-base didn't yet know about (which is IMHO unavoidable)? Maybe we could have a syntax for unknown sinks (like: { createScript: ..., createOther: ... }) that a developer could use to really definitely opt-out of all future enhancements. That said, I think that whole avenue is a gigantic foot-cannon: Trying to opt-out of future, yet-unspecified behaviours sounds like something that you'd want, but that in practice will probably have a an overwhelming likelihood of having undesired side-effects. I strongly suspect that anything that blocks yet-unspecified, future sink-types is likely going to be more hassle than it's worth. |
I think I agree with @otherdaniel here. It seems reasonable to me for the default behavior to be permissive by default. That is, a default policy with Given that the story we're telling here is one of auditing and review, it seems reasonable to fail open in the absence of an explicit declaration, given that that "failure" would itself be reviewed.
This also fails open, doesn't it? If we're going to fail open either way, I prefer @otherdaniel's approach. :) |
I would prefer if there would be a CSP keyword to lock down the setting. The problem with using only the default policy for that mechanism is that it would have to be part of the JS, called once and before any DOM sinks are called. Default policy was initially meant to relax the enforcement, not tighten it (just like other policies). And since CSP is processed before the JS kicks in, that seems to match well to what we want. CSP defines limits for your application code, JS adheres to those restrictions. |
How about if we defined it like so:
That limits the APIs that we have to guard to existing CSP buckets. And there's no good place for TrustedHTML, although this can be defined as: if any directive has a 'trusted-types' keyword, |
TL;DR: How about
This is a fair point. I might be overindexing on the default policy's role in easing deployment, and the assumption that such a policy would exist. It certainly true that we want to support pages that don't define such a policy as well. Hrm. Let's look at the CSP integration again:
My initial reaction to that is that it might be confusing, as it also sets expectations that
I think I'd like to tie enforcement requirements to the semantic meaning of the relevant sinks, as opposed to the policy used to construct a type that fits that sink. The core of what TT is doing today seems to be management of script execution. If we go this route, it seems like we want a page's policy to do two things: define the list of policy names available on a given page, and define the scope for which those policies are required. The former seems reasonably placed in the I think it might be better to add a I'm not super-happy with that mechanism from an aesthetic perspective, as it seems like when we introduce |
That LGTM for all the reasons you mentioned (it has a slight advantage that it simplifies the configuration for what is likely to be the most common setting i.e. DOM XSS prevention). Unless anyone feels strongly opposed, I'd go along and spec it like this. Going once, going twice, ... |
To clarify - would the existence of Additionally html would also be relevant for styles, so I guess |
That's what I'd intended, yes.
Why? Is there any case in which someone would have an enforced CSP that restricted the names of policies available on a given page, but wouldn't also want to enforce TT requirements for sinks? Isn't that behavior what
Yes. In this model, sinks that require |
Just so I get this... There'd be
|
Invalid keywords should be ignored I think, so in this case you end up with empty directive that implies 'script'.
Correct. |
Yes, though I'm not sure why we'd offer that option.
Neither of these are consistent with CSP. That is, What I'm suggesting above is that we treat the presence of the I'm also comfortable with leaving nothing to the imagination, and requiring the boilerplate |
On Tue, Nov 26, 2019, 08:55 Mike West ***@***.***> wrote:
I can imagine require-trusted-types-for 'none' value switchng off the
enforcement? (that is, assuming there are no other CSPs that re-enable it).
Yes, though I'm not sure why we'd offer that option.
I think an empty directive should not imply 'none' (also to solve the
below) ... Invalid keywords should be ignored I think, so in this case you
end up with empty directive that implies 'script'.
Neither of these are consistent with CSP. That is, script-src; does not
imply "Load all the script!" but "Don't load script."
That's because adding to most other directives relaxes the setting. *-for
directives do the opposite, which might explain a different logic here.
It's just a though.
If we add something like require-trusted-types-for, then I'd suggest that
we implement it's parsing in a manner similar to other directives: invalid
keywords are ignored, valid keywords are accepted, and the list of valid
types provided is a complete representation of the scope.
What I'm suggesting above is that we treat the presence of the
trusted-type as implying require-trusted-types-for 'script' unless that
directive is specified. As @otherdaniel <https://github.com/otherdaniel>
notes, we'd keep that implication even if Trusted Types grew new types in
the future.
I'm also comfortable with leaving nothing to the imagination, and
requiring the boilerplate require-trusted-types-for 'script' to be
included in every policy. That's more clear, and ensures that forward
compatibility is maintained explicitly. It's also superfluous until and
unless we extend the mechanism, which is unfortunate.
Ok, so the lack of directive == 'script', but its presence overrides that?
If we don't offer turning off TT for scripting (with a none keyword, or an
empty directive), that directive is toothless, as every setting gives one
the same behavior. Which means that its implementation can be postponed
until we add new types.
In this light, I'm not sure - perhaps explicitness is better.
—
… You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#241>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA7JK7R4YJG5RC2CWSUBKDQVTJATANCNFSM4JOUSTPQ>
.
|
That's a reasonable point. Perhaps If we run with that interpretation, then I think we need to make people type @jonathanKingston, @annevk: It would be quite helpful for y'all to weigh in from Mozilla's perspective around the |
Actually, it seems like the common setting might be With that logic, we could even remove |
I like that way of looking at it. Should we then rename |
Makes sense to me. Names: I'd prefer I take this is orthogonal to |
I'm indifferent re: the naming. So I guess the decision here is rather if we aim for more directives in the future, or more keywords. Either seems fine. I think this is orthogonal to |
I think either
|
I have a slight preference to leave it under |
Pulling out a comment from mozilla/standards-positions#20 (comment).
The gist of the issue is that while TT cover DOM XSS now, we should allow ourselves to extend its approach to other security problems (e.g. data exfiltration or keyboard sniffing via CSS #104). The API itself should also be backwards-compatible - e.g. implementing new types in the browser should not break existing websites that use TT for DOM XSS only. Citing @otherdaniel :
One idea on how this could be achieved is opting in to each enfrocement area (e.g. DOM XSS, CSS) separately - for example declaratively via a CSP keyword i.e. Per-type enforcement #66.
Another is to make the (default) policy createXYZ permissive by default (one would have to explicitly set
createXYZ
value to null or a custom function to get the failing close behavior), so for example:would blockDOMXSSy types, but allow CSS, whereas
allows all current and future types. The problem is that it fails open.
The text was updated successfully, but these errors were encountered: