Skip to content

Wildcards in Permissions Policy Origins #516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Jun 9, 2023
Merged

Wildcards in Permissions Policy Origins #516

merged 15 commits into from
Jun 9, 2023

Conversation

@arichiv
Copy link
Member

@arichiv arichiv commented Jun 1, 2023
edited by pr-preview bot
Loading

This change harnesses Content Security Policy matching to allow wildcards in the origins of Permissions Policy allowlists. The goal of this is to provide greater granularity in permissions to better balance the ease and risk of a wildcard permission against what might otherwise be a long list of similar, yet distinct origins.

The only wildcard allowed before was *, which matched all origins.

Wildcards will now be supported for:

  • https://example.com:\* (ports, any port for example.com over https)
  • https://*.com (hosts, any https origin ending in .com)
  • https: (scheme-only, any https origin)

Feature: https://chromestatus.com/feature/5101218029895680

closes #479

Preview | Diff

@arichiv
Wildcards in Permissions Policy Origins
c00825f 
This change harnesses [Content Security Policy matching](https://www.w3.org/TR/CSP3/#matching-urls)
to allow wildcards in the origins of Permissions Policy allowlists.
The goal of this is to provide greater granularity in permissions to
better balance the ease and risk of a wildcard permission against what
might otherwise be a long list of similar, yet distinct origins.

The only wildcard allowed before was *, which matched all origins.

Wildcards will now be supported for:
* https://example.com:\* (ports, any port for example.com over https)
* https://\*.com (hosts, any https origin ending in .com)
* https: (scheme-only, any https origin)

Feature: https://chromestatus.com/feature/5101218029895680

closes #479
@arichiv arichiv self-assigned this Jun 1, 2023
@arichiv arichiv mentioned this pull request Jun 1, 2023
Closed
3 tasks
@arichiv arichiv requested review from annevk and clelland June 1, 2023 14:39
clelland
clelland reviewed Jun 6, 2023
View reviewed changes
@arichiv arichiv requested a review from clelland June 7, 2023 15:54
clelland
clelland reviewed Jun 9, 2023
View reviewed changes
Copy link
Collaborator

@clelland clelland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is looking pretty good -- a couple of issues with allow parsing though.

@clelland
Copy link
Collaborator

clelland commented Jun 9, 2023
edited
Loading

Thanks -- I think this looks good -- can you file an issue on CSP to export the three terms that we use here? (That shouldn't block merging this, but it would be good cleanup for later)

The only thing that we might want to do to tighten it up a bit would be to give Allowlist two actual properties, so that we don't have to keep referring to "the origin representing self/src in allowlist", and could actually link to a definition there. That would probably require accounting for those properties to possibly be null. We'd be able to assume at that point that the "list" part of the allowlist is just patterns, as well.

(Not necessary right now; this is functionally equivalent, but if you wanted to do that before merging, let me know and I'll hold off)

@arichiv arichiv mentioned this pull request Jun 9, 2023
Closed
@arichiv
Copy link
Member Author

arichiv commented Jun 9, 2023

Filed w3c/webappsec-csp#604

I think this can merge as is, I can circle back on that cleanup when the DFNs are exported by CSP.

@arichiv arichiv requested a review from clelland June 9, 2023 16:03
@arichiv arichiv merged commit dbb0ffb into main Jun 9, 2023
@arichiv arichiv deleted the csp branch June 9, 2023 16:04
github-actions bot added a commit that referenced this pull request Jun 9, 2023
@arichiv @github-actions
Merge pull request #516 from w3c/csp
28fff2b 
SHA: dbb0ffb
Reason: push, by arichiv

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@arichiv arichiv mentioned this pull request Jun 9, 2023
Closed
@clelland clelland mentioned this pull request Jun 22, 2023
Closed
arichiv added a commit to w3c/webappsec-csp that referenced this pull request Jun 26, 2023
@arichiv
Export DFNs used in Permissions-Policy
2a8b6e4 
Specifically: `scheme-source`, `host-source`, and `Does url match expression in origin with redirect count?`. These are used in w3c/webappsec-permissions-policy#516

closes #604
@arichiv arichiv mentioned this pull request Jun 26, 2023
Merged
arichiv added a commit to w3c/webappsec-csp that referenced this pull request Jun 28, 2023
@arichiv
Export DFNs used in Permissions-Policy (#607)
0f6446a 
Specifically: `scheme-source`, `host-source`, and `Does url match expression in origin with redirect count?`. These are used in w3c/webappsec-permissions-policy#516

closes #604
@clelland clelland mentioned this pull request Aug 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clelland clelland clelland approved these changes

@annevk annevk Awaiting requested review from annevk

Assignees

@arichiv arichiv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Client Hint delegation to multiple subdomains

3 participants

@arichiv @clelland