Sandbox, COOP, and error pages. #7345
Labels
topic: cross-origin-opener-policy
Issues and ideas around the new "inverse of rel=noopener" header
topic: sandbox
Comments
annevk
added
topic: cross-origin-opener-policy
|
So:
User agents could alternatively do:
I think that would be reasonable. |
|
Updated the original post with implicit assumptions. To make sure I understand your proposals, we have option 1:
Or Option 2:
I discussed with @ArthurSonzogni, and I think we prefer option 1, as keeping the popup not visible when we open from a sandboxed iframe until we have a first navigation sounds confusing to the user and is probably hard to implement as well. As for practically implementing option 1 in the spec, I don't think we want to restart the navigation to an error page, but we could simply enforce COOP even in this case. I'm thinking we could just move
after
|
|
I wasn't viewing them as different proposals; they are implementation alternatives as they should be indistinguishable as far as web pages are concerned. Your proposal for the HTML standard makes sense. I agree that we wouldn't want to wait for the COOP document to load. I was wondering if instead of checking responseCOOP we should be checking coopEnforcementResult's needs a browsing context group switch, but that might result in different behavior. In particular if you have sandboxed A (but with allow-same-origin) opening A and both have COOP, I suspect coopEnforcementResult's needs a browsing context group switch would be false. |
|
Indeed relying on coopEnforcementResult might open other holes in the sandbox rule that we probably don't want. |
3 tasks
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 24, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We set the COOP value before the Sandbox + COOP failure to have access to it in the policy container. We update the policy container inheritance for error pages, to take into account COOP if it was set. That breaks the invariant of having all error pages use "unsafe-none". We only want error pages to sever their opener (and do things implied by COOP), we never want them to end up in cross-origin isolated contexts. We add an exception to the centralized computation of WebExposedIsolationInfo to exclude error pages. They are never considered cross-origin isolated. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 24, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We set the COOP value before the Sandbox + COOP failure to have access to it in the policy container. We update the policy container inheritance for error pages, to take into account COOP if it was set. That breaks the invariant of having all error pages use "unsafe-none". We only want error pages to sever their opener (and do things implied by COOP), we never want them to end up in cross-origin isolated contexts. We add an exception to the centralized computation of WebExposedIsolationInfo to exclude error pages. They are never considered cross-origin isolated. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 26, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 29, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 29, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 29, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 29, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 29, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this issue
Nov 30, 2021
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Dec 1, 2021
…ener., a=testonly Automatic update from web-platform-tests [Fixit] Make sandbox + COOP break the opener. Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} -- wpt-commits: 4401bb56f90668983f6c237523a85f8875be9c77 wpt-pr: 31731
aosmond
pushed a commit
to aosmond/gecko
that referenced
this issue
Dec 1, 2021
…ener., a=testonly Automatic update from web-platform-tests [Fixit] Make sandbox + COOP break the opener. Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} -- wpt-commits: 4401bb56f90668983f6c237523a85f8875be9c77 wpt-pr: 31731
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Feb 12, 2022
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3293412: [Fixit] Make sandbox + COOP break the opener. Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Feb 18, 2022
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3293412: [Fixit] Make sandbox + COOP break the opener. Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Mar 3, 2022
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3293412: [Fixit] Make sandbox + COOP break the opener. Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
mfreed7
pushed a commit
to mfreed7/html
that referenced
this issue
Jun 3, 2022
I.e., the relationship between the browsing contexts is severed first and only then does the popup become a network error. Tests: WPT html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html. Closes whatwg#7345.
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this issue
Oct 14, 2022
Sandbox flags and COOP cannot currently live on the same page. This was decided when first implementing COOP. If COOP and sandboxing flags are present on the same top level window, we return an error page instead, and COOP has no effect. Exploits have been discovered recently about abusing an opened window and history to be able to guess the cross-origin url using the history API. See: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614 Error pages were left out from the fix, because it would be inelegant to insert error pages into history after a successful reload. That means error pages can potentially be used to guess a cross-origin URL. If in general this is acceptable, in our case its worse for two reasons: - COOP is used to protect pages that are usually more valuable or hold important data. - It is possible to reach an error page after response without relying on timing, etc. Therefore we'd like to sever the opener when we fail after receiving a response, if the target page did set COOP. Basically we'd like to change the spec to enforce COOP even when we fail because of COOP+sandbox. Spec discussion can be found here: whatwg/html#7345 On the implementation side, this patch adds the WPTs necessary to the spec change, and the modified behavior. We add a setter to the swap parameter to be able to only activate that without breaking the COOP: Unsafe-none for error pages invariant. This applies to final responses and redirects. This does not alter the reload behavior, as this only happens for cases where reloads would not be successful anyway. Bug: 1256823 Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#946387} NOKEYCHECK=True GitOrigin-RevId: d400fcfcccd5d1fc636d8758fcfa3c9490f37ca5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a sandboxed iframe, tries to opens a popup to a COOP page, we return an error page in the popup instead. This is specified here:
In particular this assumes that keeping a handle to the popup with the error page is safe. However a recent bug shows that this surface is sufficient to leak information. Should we maybe consider cutting the opener if we end up in this case?
Note, for this to work:
The text was updated successfully, but these errors were encountered: