Wildcards in Permissions Policy Origins #482
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change will add support for wildcard in permissions policy structured like SCHEME://*.HOST:PORT (e.g., https://*.foo.com/) where a valid Origin could be constructed from SCHEME://HOST:PORT (e.g., https://foo.com/). This requires that HOST is at least eTLD+1 (a registrable domain). This means that https://*.bar.foo.com/ works but https://*.com/ won’t (if you want to allow all domains to use the feature, you should just delegate to *). Wildcards in the scheme and port section will be unsupported and https://*.foo.com/ does not delegate to https://foo.com/. Before, a permissions policy might need to look like: permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://cdn1.foo.com" "https://cdn2.foo.com") With this feature, it could look like: permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://*.foo.com") This flexibility assists developers that need to delegate permissions to multiple subdomains (e.g., CDNs). This is an in-progress change, the following components are needed: - [x] Update ABNF - [ ] Define matching - [ ] Add example closes #479
Member
Author
|
@yoavweiss have a sec for review? I want to get the ABNF correct before moving on to deeper integration The other option is to do something more explicit like https://www.w3.org/TR/CSP2/#host_part, but it seemed desirable to not reinvent the wheel since we aren't supporting wildcards everywhere. |
Member
Author
|
Forgot @yoavweiss is out, @clelland have time to take a look? |
clelland
reviewed
Aug 26, 2022
Member
Author
|
Updated with the matching logic. |
yoavweiss
reviewed
Aug 30, 2022
yoavweiss
reviewed
Aug 31, 2022
yoavweiss
reviewed
Sep 2, 2022
Contributor
yoavweiss
left a comment
yoavweiss
left a comment
There was a problem hiding this comment.
Non-authoritative LGTM
Collaborator
|
I think there's still a piece missing here -- we're going to need at least 4 parts to incorporate this:
So far, this has the syntax, and correctly defines serialized-origin-with-wildcard-subdomain as a string, but those strings aren't allowed in allowlists (per https://w3c.github.io/webappsec-permissions-policy/#allowlists), and I think that the matching logic is trying to operate directly on those strings, which is awkward -- and to do it right, we'd need to convert back and forth between strings and origins. A way to resolve this would be to change the definition of what an allowlist can contain -- define an "origin with possible wildcard" to be an origin, and a boolean that says whether it also matches subdomains. Then the matching logic can check that boolean to know whether to do the deeper match. Regardless of how we handle it, we'll need to change 9.2. Construct policy from dictionary and origin and 9.3. Parse policy directive to parse the serialized-origin-with-wildcard-subdomain strings explicitly. Currently the call to the URL parser will fail because of the wildcards. |
Member
Author
|
@clelland good point! I think I integrated at the necessary spots now. |
clelland
requested changes
Sep 26, 2022
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Sep 27, 2022
…atches This CL focuses just on the wildcard subdomain matching function itself as it's a dangerous point of failure and needs deep review. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Parse wildcard subdomain matches in policy (4) Add WPTs Bug: 1345994 Change-Id: I42b4513038e91db0883d3e9afa77c7ebed57e3fb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3910955 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Reviewed-by: Yoav Weiss <[email protected]> Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1052043}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Sep 28, 2022
… policy This CL just propagates OriginWithPossibleWildcards up and down the stack. In all cases, the wildcard bool will be set to false as only the next CL will start parsing cases where wildcards are on. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Parse wildcard subdomain matches in policy (4) Add WPTs Bug: 1345994 Change-Id: Id38e069b434193ad3b2e77ec94ccc692a7db31fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3913410 Reviewed-by: Christoph Schwering <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Bo Liu <[email protected]> Reviewed-by: Dominick Ng <[email protected]> Reviewed-by: Daniel Cheng <[email protected]> Reviewed-by: Yao Xiao <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Reviewed-by: danakj <[email protected]> Cr-Commit-Position: refs/heads/main@{#1052570}
annevk
reviewed
Oct 5, 2022
Member
annevk
left a comment
annevk
left a comment
There was a problem hiding this comment.
I thought we reached agreement at TPAC that this should share logic with CSP?
index.bs
Outdated
| with <var>origin</var> and the boolean <code>True</code>, then:</li> | ||
| <ol> | ||
| <li>If <var>origin</var> is not a <a>tuple origin</a>, then return false.<li> | ||
| <li>If <var>origin</var>'s <a>host</a> has a null <a>registrable domain</a>, return false.<li> |
Member
There was a problem hiding this comment.
This has to refer to the host of an origin using the for attribute.
Member
There was a problem hiding this comment.
Could you explain how you resolved this, as far as I can tell you reordered the words, but that doesn't help the fact that host points to the wrong thing.
Member
Author
There was a problem hiding this comment.
I think I had misunderstood, is it correct now?
index.bs
Outdated
| <li>Set <var>originWithoutWildcard</var> to be equal to the first value of the tuple <var>item</var>.</li> | ||
| <li>Set <var>originCandidate</var> to be equal to <var>origin</var> with the sequence | ||
| of <a>code points</a> in the <a>host</a> from the start up to and including the first "." removed.</li> | ||
| <li>While <var>originCandidate</var> has a <a>host</a> with a non-nill <a>registrable domain</a>:</li> |
Member
There was a problem hiding this comment.
Same problem with the host field as above.
Also, it's non-null.
Member
Author
I thought the agreement was that any further expansion of the wildcard syntax would require sharing logic with CSP, but that for this restrictive wildcard support a local modification was acceptable. |
Member
|
I think that any kind of wildcard parsing needs to have shared logic. We don't want multiple independent code paths for this that need to be audited separately and have the opportunity for divergence if future maintainers are not careful. |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 6, 2022
We can see the entire thing work end to end now! This includes a fix for the JS permissions inspection API now that it's tested e2e. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Add WPTs (6) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 6, 2022
We can see the entire thing work end to end now! This includes a fix for the JS permissions inspection API now that it's tested e2e. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Add WPTs (6) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 6, 2022
We can see the entire thing work end to end now! This includes a fix for the JS permissions inspection API now that it's tested e2e. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 6, 2022
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 6, 2022
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 7, 2022
…t parser The next CL will actually use the propagated type, but for now the important thing is to preserve the type so that we can differentiate attribute policies from header policies. Why not fold this CL into the next one which actually uses the type? This code is especially sensitive and I want to divide off portions where possible since the next CL has some very risky code. Why not add a test? This code is all internal, so a DCHECK and existing tests seems sufficient. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I9f5e47f3ca04b63dce0c14c03745a187a4f3171a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3936205 Commit-Queue: Ari Chivukula <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Ian Clelland <[email protected]> Reviewed-by: Daniel Murphy <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056236}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 7, 2022
This CL finally implements the critical `origin with subdomain wildcard parser` portion of the code! It's not a lot of code, but needs some deep testing to be sure we aren't opening ourselves up to trouble. WPTs are split into the next CL so that we don't distract from targeted review here. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: Ic8dc79be3262cdd872987c818ce01e959cdce83a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3934705 Commit-Queue: Ari Chivukula <[email protected]> Reviewed-by: Ian Clelland <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056237}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 7, 2022
…orFeature We need to be sure to fix the getAllowlistForFeature function so that wildcard subdomain permissions aren't 'invisible' to to frontend users. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: Ib41c07c9027fa1aef4b7672155e3232b5372392c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938265 Reviewed-by: Ian Clelland <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056241}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 7, 2022
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 7, 2022
This inverts the VTS so we retain testing of the disabled code path. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I269c863da497b1fb352801e848e63c4733fc46f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938165 Reviewed-by: Koji Ishii <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Ian Clelland <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056250}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 8, 2022
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Oct 8, 2022
We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Oct 10, 2022
…tions Resolve TODOs in web_applications and support subdomain wildcard. By using the new Serialize/Parse functions we get support for free. This also adds some more testing to hedge against breakage. Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add Serialize/Parse functions (2) Use Serialize/Parse in web_applications Bug: 1345994 Change-Id: Id60e022e9f520eda17d20345fd803e1a253c69c0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3933647 Reviewed-by: Dominick Ng <[email protected]> Commit-Queue: Dominick Ng <[email protected]> Auto-Submit: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056824}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Oct 21, 2022
…PTs, a=testonly Automatic update from web-platform-tests [Permissions Policy Wildcards] (6) Add WPTs We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243} -- wpt-commits: 65aefb278c8c05feb767bebd3840b1b2dd2d7c61 wpt-pr: 36314
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Oct 26, 2022
…PTs, a=testonly Automatic update from web-platform-tests [Permissions Policy Wildcards] (6) Add WPTs We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243} -- wpt-commits: 65aefb278c8c05feb767bebd3840b1b2dd2d7c61 wpt-pr: 36314
Member
Author
|
Restarting this since it's been a while. Will live on in: |
jwidar
pushed a commit
to jwidar/LatencyZeroGithub
that referenced
this pull request
Sep 16, 2025
…PTs, a=testonly Automatic update from web-platform-tests [Permissions Policy Wildcards] (6) Add WPTs We can see the entire thing work end to end now! Design doc: w3c/webappsec-permissions-policy#482 This CL is part of a series: (1) Add function to detect subdomain matches (2) Use OriginWithPossibleWildcards in policy (3) Propagate node source to allow list parser (4) Parse wildcard subdomain matches (5) Support wildcards in getAllowlistForFeature (6) Add WPTs (7) Enable by default Bug: 1345994 Change-Id: I8826db4e74eb8a40e09e176459fe5f84343d456e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3938164 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Koji Ishii <[email protected]> Commit-Queue: Ari Chivukula <[email protected]> Cr-Commit-Position: refs/heads/main@{#1056243} -- wpt-commits: 65aefb278c8c05feb767bebd3840b1b2dd2d7c61 wpt-pr: 36314
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change will add support for wildcard in permissions policy structured like SCHEME://.HOST:PORT (e.g., https://.foo.com/) where a valid Origin could be constructed from SCHEME://HOST:PORT (e.g., https://foo.com/). This requires that HOST is at least eTLD+1 (a registrable domain). This means that https://.bar.foo.com/ works but https://.com/ won’t (if you want to allow all domains to use the feature, you should just delegate to ). Wildcards in the scheme and port section will be unsupported and https://.foo.com/ does not delegate to https://foo.com/.
Before, a permissions policy might need to look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://cdn1.foo.com" "https://cdn2.foo.com")
With this feature, it could look like:
permissions-policy: ch-ua-platform-version=(self "https://foo.com" "https://*.foo.com")
This flexibility assists developers that need to delegate permissions to multiple subdomains (e.g., CDNs).
This is an in-progress change, the following components are needed:
Design Doc: https://docs.google.com/document/d/1_Y5qRs0CO2_R7o8M_YaVAWQvyjXniG70RG2z1a2uwN8/edit
closes #479
Preview | Diff