Intent to implement and ship: annotating parts of navigator.credentials with [SecureContext]
29 views
Skip to first unread message
Dominic Battre
Jan 25, 2017, 10:40:32 PM1/25/17
to blin...@chromium.org
Contact emails
Spec
Relevant delta to spec: https://github.com/w3c/webappsec-credential-management/pull/55/commits/a58d0ba3a4a53c53fa1f469fd8ebab5afc18e355
Chrome CL: https://codereview.chromium.org/2634923003/
Summary
I would like to reflect a small change in the Credential Management API spec in Chrome's implementation that labels a couple of interfaces and in particular navigator.credentials with [SecureContext]. This will make navigator.credentials invisible in insecure contexts.
The Credential Management API has undergone the intent to ship process here.
Motivation
Security in depth and clean up. Don't allow access to powerful features in insecure contexts.
Interoperability and Compatibility Risk
This is a visible API change but should not have any major consequences in my opinion:
1) navigator.credentials is currently only implemented by Chrome, websites need to probe it anyway.
2) the methods of navigator.credentials rejected calls with a security error before - now they will be invisible.
3) only few sites use the credential management API today.
Annotating the interfaces with [SecureContext] will have no immediate impact because Chrome does not interpret the label, yet. This will have a visible impact in the future!
Ongoing technical constraints
[SecureContext] is currently not implemented for interfaces. It may be at some point which will cause another publicly visible API change.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
OWP launch tracking bug
http://crbug.com/576705
http://crbug.com/400674 (implementation)
Link to entry on the feature dashboard
Requesting approval to ship?
Yes.
--
Google Germany GmbH - Erika-Mann-Str. 33 - 80636 München - Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
PhistucK
Jan 26, 2017, 4:24:28 AM1/26/17
to Dominic Battre, blink-dev
So... To summarize -
To be done now -
navigator.credentials is removed from insecure documents.
To be done at some point (once the bindings of [SecureContext] in interfaces is implemented) -
Credential, FederatedCredential, PasswordCredential, SiteBoundCredential are removed from insecure documents.
Is this correct?
If so, I think this should be an intent to remove (or deprecate and remove), not an intent to implement and ship.
(People notice removals more than shippings and you are removing something, despite the fact that you add something technical in order to remove it)
And I hope nothing is forgotten when [SecureContext] is implemented for interfaces and an intent to remove for all of those interfaces (and others that will also already have it) in insecure documents is sent.
☆PhistucK
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Mike West
Jan 26, 2017, 8:07:49 AM1/26/17
to PhistucK, Elliott Sprehn, Dominic Battre, blink-dev
We implemented this API before `[SecureContext]` was a thing, so we locked it to secure contexts by throwing a security error when calling its methods. The change Dominic is suggesting here aligns our implementation with the spec by ensuring that the bits and pieces of the API aren't exposed in the first place.
This seems quite safe, as developers who are using the API today already have to be testing for the presence of `navigator.credentials` given the lack of support in other browsers. More saliently, the only developers who would be effected by this change would already be unable to make use of the API.
All that said, Dominic is correct that our implementation of `[SecureContext]` is incomplete. As I recall, esprehn@ (CC'd) was concerned about the performance impact of the very-similar origin trial attribute on frame creation, so I held off on finishing things.
Assuming that those concerns have been addressed, I can commit to ensuring that the attribute works for interfaces as well as attributes in the same release that Dominic adds it to the relevant interfaces.
-mike
PhistucK
Jan 26, 2017, 8:10:08 AM1/26/17
to Mike West, Elliott Sprehn, Dominic Battre, blink-dev
This is still a removal, it does not matter whether it used to throw an exception or not...
☆PhistucK
Jochen Eisinger
Jan 26, 2017, 9:18:26 AM1/26/17
to PhistucK, Mike West, Elliott Sprehn, Dominic Battre, blink-dev
lgtm1 to ship the removal
-mike
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Chris Harrelson
Jan 28, 2017, 2:14:06 PM1/28/17
to Jochen Eisinger, PhistucK, Mike West, Elliott Sprehn, Dominic Battre, blink-dev
LGTM2
-mike
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Dimitri Glazkov
Jan 28, 2017, 2:51:47 PM1/28/17
to Chris Harrelson, Jochen Eisinger, PhistucK, Mike West, Elliott Sprehn, Dominic Battre, blink-dev
lgtm3
LGTM2
-mike
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages