HTML's "navigate" algorithm should handle 'X-Frame-Options' and CSP's 'frame-ancestors' #1230

Open
mikewest opened this Issue May 11, 2016 · 9 comments

Comments

3 participants
@mikewest
Member

mikewest commented May 11, 2016

See whatwg/fetch#302 where I initially filed this request. @annevk's suggestion that we handle the header inside the navigation algorithm (probably as step 21, after the response checks?) SGTM.

This will require some changes to CSP as well to move frame-ancestors from a response check in Fetch to a new check in the navigate algorithm.

@annevk

This comment has been minimized.

Show comment
Hide comment
@annevk

annevk Jul 5, 2016

Member

This should be pretty easy to add now.

Member

annevk commented Jul 5, 2016

This should be pretty easy to add now.

@mikewest

This comment has been minimized.

Show comment
Hide comment
@mikewest

mikewest Aug 1, 2016

Member

Poking at this today. For frame-ancestor, I expect to add the relevant hooks to CSP, and, then call them from https://html.spec.whatwg.org/#process-a-navigate-response. For X-F-O, I'll make up something that at least somewhat aligns with RFC7034.

Member

mikewest commented Aug 1, 2016

Poking at this today. For frame-ancestor, I expect to add the relevant hooks to CSP, and, then call them from https://html.spec.whatwg.org/#process-a-navigate-response. For X-F-O, I'll make up something that at least somewhat aligns with RFC7034.

mikewest added a commit to w3c/webappsec-csp that referenced this issue Aug 1, 2016

Move 'frame-ancestors' processing to navigation (whatwg/html#1230)
This introduces a new 'navigation check', which we'll need to wire up to
HTML. That, in turn, requires HTML to use Fetch. WHATWG's does, W3C's
does not (w3c/html#548).

mikewest added a commit to w3c/webappsec-csp that referenced this issue Aug 2, 2016

Add another navigation hook for 'form-action'.
The initial pass at whatwg/html#1230 was too simple. Let's complexify
it up a little bit, shall we?
@mikewest

This comment has been minimized.

Show comment
Hide comment
@mikewest

mikewest Aug 2, 2016

Member

"Pretty easy to add", he says.

Basically, we didn't think about this enough, and it's more subtle than I though, because we need the source browsing context's policy in some cases (form-action), and the target browsing context's parent's policy in others (frame-src), and the response's policy in still others (frame-ancestors). I think these two hooks give me the tools I'll need to poke at things in CSP, but I wonder if there's a better way...

WDYT?

Member

mikewest commented Aug 2, 2016

"Pretty easy to add", he says.

Basically, we didn't think about this enough, and it's more subtle than I though, because we need the source browsing context's policy in some cases (form-action), and the target browsing context's parent's policy in others (frame-src), and the response's policy in still others (frame-ancestors). I think these two hooks give me the tools I'll need to poke at things in CSP, but I wonder if there's a better way...

WDYT?

@annevk

This comment has been minimized.

Show comment
Hide comment
@annevk

annevk Aug 4, 2016

Member

One way to do form-action is to just hook it directly in form submission. And just navigate to a network error if it blocks. If it's specific to forms invoking navigate we might as well keep it there.

The others remain complicated.

Member

annevk commented Aug 4, 2016

One way to do form-action is to just hook it directly in form submission. And just navigate to a network error if it blocks. If it's specific to forms invoking navigate we might as well keep it there.

The others remain complicated.

@mikewest

This comment has been minimized.

Show comment
Hide comment
@mikewest

mikewest Aug 4, 2016

Member

Hooking directly into form submission wouldn't catch redirects, would it? I think we need to live in navigate for that to work.

Member

mikewest commented Aug 4, 2016

Hooking directly into form submission wouldn't catch redirects, would it? I think we need to live in navigate for that to work.

@annevk

This comment has been minimized.

Show comment
Hide comment
@annevk

annevk Aug 4, 2016

Member

Good point.

Member

annevk commented Aug 4, 2016

Good point.

@mikewest

This comment has been minimized.

Show comment
Hide comment
@mikewest

mikewest Aug 16, 2016

Member

Are you waiting on me for this PR? (Sorry, I've been out for almost two weeks, so I'm trying to page this back in....)

Member

mikewest commented Aug 16, 2016

Are you waiting on me for this PR? (Sorry, I've been out for almost two weeks, so I'm trying to page this back in....)

@annevk

This comment has been minimized.

Show comment
Hide comment
@annevk

annevk Aug 16, 2016

Member

Yeah, the review comments are not addressed yet I thought.

Member

annevk commented Aug 16, 2016

Yeah, the review comments are not addressed yet I thought.

annevk added a commit that referenced this issue Aug 18, 2016

Upstream navigation hooks from CSP
This will enable implementation of 'frame-ancestors' and 'form-action', and makes a bit of progress towards #1230.

mikewest added a commit to w3c/webappsec-csp that referenced this issue Aug 18, 2016

triple-underscore added a commit to triple-underscore/triple-underscore.github.io that referenced this issue Aug 18, 2016

@domenic

This comment has been minimized.

Show comment
Hide comment
@domenic

domenic May 30, 2018

Member

Today @travisleithead discovered that Chrome does not support the ALLOW-FROM variant. Edge had strict parsing, which broke when it encountered a web site with ALLOW-FROM=https://example.com/.

If we do manage to get around to speccing this, so that nobody else runs into these sorts of interop issues while building their browsers, we'll need to figure out what to do with ALLOW-FROM. Probably also questions around whitespace trimming etc. So yeah, not just semantic issues, also syntactic ones :(

Member

domenic commented May 30, 2018

Today @travisleithead discovered that Chrome does not support the ALLOW-FROM variant. Edge had strict parsing, which broke when it encountered a web site with ALLOW-FROM=https://example.com/.

If we do manage to get around to speccing this, so that nobody else runs into these sorts of interop issues while building their browsers, we'll need to figure out what to do with ALLOW-FROM. Probably also questions around whitespace trimming etc. So yeah, not just semantic issues, also syntactic ones :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment