Intent to Ship: Stricter mixed content check for blob and filesystem URLs

[Frédéric Wang]

Contact emails

fw...@chromium.org

Specification

https://w3c.github.io/webappsec-mixed-content/

Summary

The Mixed Content specification describes how a user agent should handle fetching of unsecure content from a secure context. For that purpose, Chrome currently treats any blob: and filesystem: content as secure although the spec says their origin should be checked instead (i.e. blob://https://... is secure but blob://http://... is not). This change is about making the mixed content checker follow this stricter behavior.

Blink component

Blink>SecurityFeature>SecureContexts

Risks

Interoperability and Compatibility

Interop: Currently browsers implement different rules but in general they seem to agree about increasing security, so this is going into the right direction. Compat: There is a possible regression since Chrome will now treat some pages like blob://http://... as unsecure for the purpose of mixed content check.

Gecko: No signal

Edge: No signal

WebKit: No signal

Web developers: No signals

Is this feature fully tested by web-platform-tests?

No (only internal tests)

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1172988

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5721818595852288

This intent message was generated by Chrome Platform Status.

-- 
Frédéric Wang

[Domenic Denicola]

From: blin...@chromium.org <blin...@chromium.org> On Behalf Of Frédéric Wang

> Is this feature fully tested by https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md?
> No (only internal tests)

Do you plan to add such tests as part of this work?

[Frédéric Wang]

The current CL (
https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
not have WPT tests, but yeah new one should probably be added. Note
however that despite the fact that the filesystem: scheme is mentioned
on the Secure Contexts spec, it's really a chrome-specific one and is
not considered by the WHATWG's URL spec (
https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
really write a test for that one.

--
Frédéric Wang

[Mike Taylor]

On 2/1/21 1:28 PM, Frédéric Wang wrote:
> The current CL (
> https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
> not have WPT tests, but yeah new one should probably be added. Note
> however that despite the fact that the filesystem: scheme is mentioned
> on the Secure Contexts spec, it's really a chrome-specific one and is
> not considered by the WHATWG's URL spec (
> https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
> really write a test for that one.

A ".tentative" test may be an option for the filesystem stuff:

<https://web-platform-tests.org/writing-tests/file-names.html>

[Mike West]

This is simply a bug in our implementation, counter to the spec (and good sense!). I'd be comfortable shipping it as a bug fix. So, at least LGTM1. :)

I agree with both Domenic that we really do need WPT for this, and with Mike that `.tentative` is a reasonable way of supporting `filesystem:` tests in WPT (possibly with an `assert_implements_optional("webkitRequestFileSystem" in window)` gate).

-mike

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.

[yo...@yoav.ws]

LGTM2

[Daniel Bratell]

LGTM3

But please make a reasonable attempt at a WPT so that we ensure interoperability in the future.

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/33181379-22cb-44a5-b1d1-6ee73204271dn%40chromium.org.

[Joshua Bell]

On Wed, Feb 3, 2021 at 5:54 AM Mike West <mk...@chromium.org> wrote:

This is simply a bug in our implementation, counter to the spec (and good sense!). I'd be comfortable shipping it as a bug fix. So, at least LGTM1. :)

I agree with both Domenic that we really do need WPT for this, and with Mike that `.tentative` is a reasonable way of supporting `filesystem:` tests in WPT (possibly with an `assert_implements_optional("webkitRequestFileSystem" in window)` gate).

Minor aside on this - we're not attempting to push for adoption of "filesystem:" URLs beyond Chrome, so consider landing those tests in third_party/blink/web_tests/wpt_internal/ instead. Tests should be written and executed in exactly the same way and could easily be upstreamed if our stance ever changes.

 

-mike

On Mon, Feb 1, 2021 at 10:28 PM 'Mike Taylor' via blink-dev <blin...@chromium.org> wrote:

On 2/1/21 1:28 PM, Frédéric Wang wrote:
> The current CL (
> https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
> not have WPT tests, but yeah new one should probably be added. Note
> however that despite the fact that the filesystem: scheme is mentioned
> on the Secure Contexts spec, it's really a chrome-specific one and is
> not considered by the WHATWG's URL spec (
> https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
> really write a test for that one.

A ".tentative" test may be an option for the filesystem stuff:

<https://web-platform-tests.org/writing-tests/file-names.html>

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DcKTUAkFH5tXsiRRXUkzY%3D8oeAMCz7sU0uxRfhHp7upQA%40mail.gmail.com.

[Frédéric Wang]

Le 05/02/2021 à 02:01, Joshua Bell a écrit :

Minor aside on this - we're not attempting to push for adoption of "filesystem:" URLs beyond Chrome, so consider landing those tests in third_party/blink/web_tests/wpt_internal/ instead. Tests should be written and executed in exactly the same way and could easily be upstreamed if our stance ever changes.

Thank you everybody. I'll look into how I can write a WPT test. I think I prefer the option of putting filesystem in wpt_internal, though.

-- 
Frédéric Wang

[Frédéric Wang]

Hi,

I tried a WPT with a https page opening a (http or https) popup which in turns create a blob. Then using the fetch API or a <script src> to request the blob url gives the following errors:

CONSOLE ERROR: line 16: Fetch API cannot load blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113. URL scheme must be "http" or "https" for CORS request.
CONSOLE ERROR: line 29: Not allowed to load local resource: blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113

This seems to happen before the mixed content check, so it actually does not detect the behavior change of the CL. I'm not sure there is a way to play with the definitions of "potentially trustworthy origin" and "mixed content" to write a test that actually exhibits the behavior change ; or whether the change is just not web-exposed. In any case, my CL now has an internal test for blob/filesystem and this wpt test for blob. At the end, I believe I'll skip the internal wpt test for filesystem given previous feedback that we don't plan to standardize this scheme.

-- 
Frédéric Wang

[Marijn Kruisselbrink]

It sounds like what you're running into is that in at least the chrome implementation blob URLs are not allowed to be fetched cross-origin. So for subresource requests the page loading the blob URL and the blob URL itself always have to be same origin, and most navigations can only be initiated by same-origin windows as well. Unfortunately not all browsers behave quite the same, and none of this is currently really specified (see https://github.com/whatwg/fetch/issues/666 for some details). But yes, I think you're right and there shouldn't be any way to get mixed origin content using blob URLs.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/289e4365-fdd7-7a9e-22c6-7ef2f5322773%40igalia.com.