What happens in the event that a user is behind a proxy server and thus would not otherwise be performing local DNS resolutions?
Similarly, what happens in the event that a resource was available in the cache and would not otherwise have resulted in a network request?
What happens in the event of same-origin HTTP requests whereby the target origin is available (either simultaneously or at different times or on different networks) at both private and public IP addresses? (We once found that the Outlook Web Access single page application was broken when users took their laptops home, because the target IP and thus security zone changed as they moved their device between networks). Stated another way, should "External request" explicitly exclude "Same origin" requests? Or is the hope to use this mechanism to help mitigate DNS rebinding attacks?
On Tuesday, July 23, 2019 at 4:38:49 AM UTC-5, Mike West wrote:mk...@chromium.org https://wicg.github.io/cors-rfc1918/#integration-fetch Specification: https://wicg.github.io/cors-rfc1918/ "External requests" are those initiated from a public network, targeting a private network (e.g. internet -> intranet, or intranet -> loopback). These requests may only be initiated from a secure context. Servers running inside local networks, or on a users' device, expose powerful capabilities to the web in ways that can be quite dangerous. CORS-RFC1918 proposes a set of changes that can limit the impact of requests to these servers by ensuring that the servers are opting-into any communication with external entities. In order for this opt-in to have any meaning, the servers need to be able to ensure that the client origin is authenticated. To that end, only secure contexts are empowered to make external requests. This change is separable from the rest of CORS-RFC1918, and we can make it now, before the rest of the larger feature is ready.~0.05% of page views are currently loading at least one resource from a loopback address, and this change would affect them in one way or another: https://www.chromestatus.com/metrics/feature/timeline/popularity/1653. We'll need to do a little more digging to figure out exactly what will break and how much user-facing impact there would be. We will almost certainly need an enterprise opt-out of some sort (which is unfortunate, as enterprises are exactly the sort of things that have large local networks full of interesting resources!). Firefox: Mixed public signals (https://github.com/mozilla/standards-positions/issues/143, https://bugzilla.mozilla.org/show_bug.cgi?id=1481298) Edge: No public signals Safari: No public signals Web developers: Negative (https://bugs.webkit.org/show_bug.cgi?id=171934) Developers running local servers generally want those servers to keep running without alteration. The conversation on a tangentially-related WebKit bug is representative. Developers of non-secure sites that rely upon local servers will need to upgrade to HTTPS. This might cause some complications, as mixed-content checks will begin to apply. Chrome carves out HTTP access to loopback (as perhttps://w3c.github.io/webappsec-secure-contexts/#localhost), which is a release valve for folks who don't want to go through the effort of securely-distributing certs for local servers. This change should be security-positive.When blocking a request due to a secure-context restriction, we'll add a helpful message to the console. Yes No This will be quite difficult to test in WPT, because WPT does not directly support loopback addresses. See https://github.com/web-platform-tests/wpt/pull/5304. https://chromestatus.com/feature/5436853517811712Thanks!-mike
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6bd84a0b-8309-43fb-bc54-9d55e6581740%40chromium.org.
On Tue, Jul 23, 2019 at 5:17 PM Eric Lawrence <elaw...@chromium.org> wrote:What happens in the event of same-origin HTTP requests whereby the target origin is available (either simultaneously or at different times or on different networks) at both private and public IP addresses? (We once found that the Outlook Web Access single page application was broken when users took their laptops home, because the target IP and thus security zone changed as they moved their device between networks). Stated another way, should "External request" explicitly exclude "Same origin" requests? Or is the hope to use this mechanism to help mitigate DNS rebinding attacks?The draft does aim to poke at rebinding attacks: directly via the checks we'd do on each outgoing request, regardless of hostname; and indirectly, by requiring HTTPS (as in this intent), which gives internal servers a modicum of confidence that the CORS check we'll eventually force is referring to an authenticated server. This latter property means that Outlook could accept CORS preflights from its own origin, as that would be difficult indeed for an attacker to forge.It would, however, require the developer to understand that users' network movement can cause preflights, which will absolutely cause some havoc at some point in the future. Note again that _this_ intent is smaller, and simply requires that Outlook be securely hosted in order to make external requests at all. That should be simple enough to satisfy.
----On Tuesday, July 23, 2019 at 4:38:49 AM UTC-5, Mike West wrote:mk...@chromium.org https://wicg.github.io/cors-rfc1918/#integration-fetch Specification: https://wicg.github.io/cors-rfc1918/ "External requests" are those initiated from a public network, targeting a private network (e.g. internet -> intranet, or intranet -> loopback). These requests may only be initiated from a secure context. Servers running inside local networks, or on a users' device, expose powerful capabilities to the web in ways that can be quite dangerous. CORS-RFC1918 proposes a set of changes that can limit the impact of requests to these servers by ensuring that the servers are opting-into any communication with external entities. In order for this opt-in to have any meaning, the servers need to be able to ensure that the client origin is authenticated. To that end, only secure contexts are empowered to make external requests. This change is separable from the rest of CORS-RFC1918, and we can make it now, before the rest of the larger feature is ready.~0.05% of page views are currently loading at least one resource from a loopback address, and this change would affect them in one way or another: https://www.chromestatus.com/metrics/feature/timeline/popularity/1653. We'll need to do a little more digging to figure out exactly what will break and how much user-facing impact there would be. We will almost certainly need an enterprise opt-out of some sort (which is unfortunate, as enterprises are exactly the sort of things that have large local networks full of interesting resources!). Firefox: Mixed public signals (https://github.com/mozilla/standards-positions/issues/143, https://bugzilla.mozilla.org/show_bug.cgi?id=1481298) Edge: No public signals Safari: No public signals Web developers: Negative (https://bugs.webkit.org/show_bug.cgi?id=171934) Developers running local servers generally want those servers to keep running without alteration. The conversation on a tangentially-related WebKit bug is representative. Developers of non-secure sites that rely upon local servers will need to upgrade to HTTPS. This might cause some complications, as mixed-content checks will begin to apply. Chrome carves out HTTP access to loopback (as perhttps://w3c.github.io/webappsec-secure-contexts/#localhost), which is a release valve for folks who don't want to go through the effort of securely-distributing certs for local servers. This change should be security-positive.When blocking a request due to a secure-context restriction, we'll add a helpful message to the console. Yes No This will be quite difficult to test in WPT, because WPT does not directly support loopback addresses. See https://github.com/web-platform-tests/wpt/pull/5304. https://chromestatus.com/feature/5436853517811712Thanks!-mike
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6bd84a0b-8309-43fb-bc54-9d55e6581740%40chromium.org.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Dcf4hom_%3DHD034-Wv63yLPMs%2BgRfnc5k4wvatHDbSE6HA%40mail.gmail.com.