From c58393bf0b9e2a86abee916c3cef3361f2741567 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 27 Oct 2022 11:49:12 +0200 Subject: [PATCH] Define opaque-response blocking This is good enough for early review, but there are a number of issues that still need resolving: https://github.com/annevk/orb/labels/mvp. There are also some inline TODO comments. A PR against HTML is needed to ensure it passes the appropriate metadata for media element and classic script requests. We might also want to depend on HTML for parsing JavaScript. --- fetch.bs | 312 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 305 insertions(+), 7 deletions(-) diff --git a/fetch.bs b/fetch.bs index 47eb6b489..f31d5d657 100644 --- a/fetch.bs +++ b/fetch.bs @@ -37,6 +37,9 @@ urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:realm;text:realm url:sec-list-and-record-specification-type;text:Record + url:sec-parsetext;text:ParseText + url:prod-Script;text:Script + url:script-record;text:Script Record 
@@ -1970,6 +1973,17 @@ Unless stated otherwise, it is false.
 
 
This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
+
A request has an associated
+no-cors media request state ...
+
+
This is for exclusive use by the opaque-response-safelist check.
+
+
A request has an associated
+no-cors JavaScript fallback encoding (an encoding). Unless
+stated otherwise, it is UTF-8.
+
+
This is for exclusive use by the opaque-response-safelist check.
+
 

 
 
A request has an associated
@@ -3042,6 +3056,285 @@ run these steps:
 
 
 
+
Opaque-response blocking

+
+

+ 
Opaque-response blocking, also known as ORB, is a network filter that blocks access
+ to opaque filtered responses. These responses would likely would not have been useful to the
+ fetching party. Blocking them reduces information leakage to potential attackers.
+
+ 
Essentially, CSS, JavaScript, images, and media (audio and video) can be requested across
+ origins without the CORS protocol. And unfortunately except for CSS there is no MIME type
+ enforcement. This algorithm aims to block as many responses as possible that are not one of these
+ types (or are newer variants of those types) to avoid leaking their contents through side channels.
+
+ 
The network filter combines pro-active blocking based on response headers, sniffing a limited
+ set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design
+ decisions in the early days of the web platform. As a result there are still quite a few responses
+ whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use
+ the `Cross-Origin-Resource-Policy` response header to defend them.
+

+
+
+
The opaque-response-safelist check

+
+
The opaque-response-safelist check, given a request request
+and a response response, is to run these steps:
+
+
    
+ 
  1. Let mimeType be the result of extracting a MIME type from
+ response's header list.
+
+ 
  2. Let nosniff be the result of determining nosniff given
+ response's header list.
+
+ 
  3. 
+  
    If mimeType is not failure, then:
+
+  
      
+   
    1. If mimeType is an opaque-response-safelisted MIME type, then return
+   true.
+
+   
    2. If mimeType is an opaque-response-blocklisted-never-sniffed MIME type,
+   then return false.
+
+   
    3. If response's status is 206 and mimeType is an
+   opaque-response-blocklisted MIME type, then return false.
+
+   
    4. If nosniff is true and mimeType is an
+   opaque-response-blocklisted MIME type or its essence is
+   "text/plain", then return false.
+  
    
+
+ 
  4. If request's no-cors media request state is
+ "subsequent", then return true.
+
+ 
  5. If response's status is 206 and
+ validate a partial response given 0 and response returns invalid, then return
+ false.
+ 
+
+ 
  6. Let bytes be the result of running
+ obtain a copy of the first 1024 bytes of response given response.
+
+ 
  7. If bytes is failure, then return false.
+
+ 
  8. 
+  
    If the audio or video type pattern matching algorithm given bytes does not
+  return undefined, then:
+
+  
      
+   
    1. If requests's no-cors media request state is not
+   "initial", then return false.
+
+   
    2. If response's status is not 200 or 206, then return false.
+
+   
    3. Return true.
+  
    
+
+ 
  9. If requests's no-cors media request state is not
+ "N/A", then return false.
+
+ 
  10. If the image type pattern matching algorithm given bytes does not return
+ undefined, then return true.
+
+ 
  11. 
+  
    If nosniff is true, then return false.
+
+  
    This check is made late as unfortunately images and media are always sniffed.
+
+ 
  12. If response's status is not an ok status, then return
+ false.
+
+ 
  13. 
+  
    If mimeType is failure, then return true.
+
+  
    This could be improved at somewhat significant cost. See
+  annevk/orb #28.
+
+ 
  14. If mimeType's essence starts with
+ "audio/", "image/", or "video/", then return false.
+
+ 
  15. Return determine if response is JavaScript and not JSON given response.
+

+
+

+
+
To obtain a copy of the first 1024 bytes of response, given a response
+response, run these  steps:
+
+
    
+ 
  1. Let first1024Bytes be null.
+
+ 
  2. 
+  
    In parallel:
+
+  
      
+   
    1. Let bytes be the empty byte sequence.
+
+   
    2. Let transformStream be a new {{TransformStream}}.
+
+   
    3. 
+    
      Let transformAlgorithm given a chunk be these steps:
+
+    
        
+     
      1. Enqueue chunk in transformStream.
+
+     
      2. 
+      
        If first1024Bytes is null, then:
+
+      
          
+       
        1. Let chunkBytes be
+       a copy of the bytes held by
+       chunk.
+
+       
        2. Append chunkBytes to bytes.
+
+       
        3. 
+        
          If bytes's length is greater than 1024, then:
+
+        
            
+         
          1. Truncate bytes from the end so that it only contains 1024 bytes.
+
+         
          2. Set first1024Bytes to bytes.
+        
          
+      
        
+    
      
+
+   
    4. Let flushAlgorithm be this step: if first1024Bytes is null, then set
+   first1024Bytes to bytes.
+
+   
    5. Set up transformStream with
+   transformAlgorithm set to
+   transformAlgorithm and flushAlgorithm set
+   to flushAlgorithm.
+
+   
    6. Set response's body's stream to the result
+   of response's body's stream
+   piped through transformStream.
+  
    
+
+ 
  3. Wait until first1024Bytes is non-null or response's
+ body's stream is errored.
+
+ 
  4. If first1024Bytes is null, then return failure.
+
+ 
  5. Return first1024Bytes.
+

+
+

+
+
To determine if response is JavaScript and not JSON given a response
+response, run these steps:

+
+
    
+ 
  1. Let responseBodyBytes be null.
+
+ 
  2. 
+  
    Let processBody given a byte sequence bytes be these steps:
+
+  
      
+   
    1. Set responseBodyBytes to bytes.
+
+   
    2. Set response's body to the body
+   of the result of safely extracting bytes.
+  
    
+
+ 
  3. Let processBodyError be this step: set responseBodyBytes to failure.
+
+ 
  4. Fully read response's body given processBody
+ and processBodyError.
+
+ 
  5. Wait for responseBodyBytes to be non-null.
+
+ 
  6. If responseBodyBytes is failure, then return false.
+
+ 
  7. Assert: responseBodyBytes is a byte sequence.
+
+ 
  8. 
+  
    If parse JSON bytes to a JavaScript value given responseBodyBytes does not
+  throw, then return false. If it throws, catch the exception and ignore it.
+
+  
    If there is an exception, response is not JSON. If there is not, it is.
+
+ 
  9. Let potentialMIMETypeForEncoding be the result of extracting a MIME type
+ given response's header list.
+
+ 
  10. 
+  
    Let encoding be the result of legacy extracting an encoding given
+  potentialMIMETypeForEncoding and request's
+  no-cors JavaScript fallback encoding.
+
+  
    Equivalently to fetch a classic script, this ignores the
+  MIME type essence.
+
+ 
  11. Let sourceText be the result of decoding
+ responseBodyBytes given encoding.
+
+ 
  12. If ParseText(sourceText, Script) returns a Script Record,
+ then return true.
+ 
+
+ 
  13. Return false.
+

+
+
+
New MIME type sets

+
+
The definitions in this section are solely for the purpose of abstracting parts of the
+opaque-response-safelist check. They are not suited for usage elsewhere.
+
+
An opaque-response-safelisted MIME type is a JavaScript MIME type or a
+MIME type whose essence is "text/css" or
+"image/svg+xml".
+
+
An opaque-response-blocklisted MIME type is an HTML MIME type,
+JSON MIME type, or XML MIME type.
+
+
An opaque-response-blocklisted-never-sniffed MIME type is a MIME type
+whose essence is one of:
+
+

+
+
 
 
HTTP extensions

 
@@ -4846,19 +5139,23 @@ these steps:
    
  • Set response and actualResponse to the result of running
    HTTP-network-or-cache fetch given fetchParams.
 
-   
  • 
-    
    If request's response tainting is "cors" and a
-    CORS check for request and response returns failure, then return a
-    network error.
+   
  • If request's response tainting is "opaque",
+   response's status is not a redirect status, and the
+   opaque-response-safelist check given request and response returns
+   false, then return a network error.
 
-    
    As the CORS check is not to be applied to
-    responses whose status is 304 or 407, or responses
-    from a service worker for that matter, it is applied here.
+   
  • If request's response tainting is "cors" and
+   the CORS check for request and response returns failure, then return
+   a network error.
 
    
  • If the TAO check for request and response returns failure,
    then set request's timing allow failed flag.
   
 
+  
    As the opaque-response-safelist check, CORS check, and
+  TAO check are not to be applied to responses whose status
+  is 304 or 407, or to responses from a service worker, they are applied here.
+
  
  • 
   
    If either request's response tainting or response's
   type is "opaque", and the
@@ -8421,6 +8718,7 @@ Mohamed Zergaoui,
 Mohammed Zubair Ahmed,
 Moritz Kneilmann,
 Ms2ger,
+Nathan Froyd,
 Nico Schlömer,
 Nicolás Peña Moreno,
 Nidhi Jaju,