--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3DdwJ7DCVaKcF6BcGx81XB6uU8ELwsTxmXBoAynADy3bUQ%40mail.gmail.com.
On Jul 30, 2014 7:59 AM, "Mike West" <mk...@chromium.org> wrote:
>
> Hello, net-dev!
>
> I'd like to poke at teaching our mixed content checker about private addresses (http://w3c.github.io/webappsec/specs/mixedcontent/#private-url) in order to stop the web from screwing with my router via subresource fetches (https://crbug.com/378566).
>
> We're currently doing mixed content checks in Blink, while the information that I'd like to play with is in Net (net::IsHostnameNonUnique
Don't use this.
/net::IsIPAddressReserved
Use this.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvYzqCDxotFrLgxuivfstDXeEbMQjKfkwhF%2BcYF50mamSQ%40mail.gmail.com.
On Jul 30, 2014 9:50 AM, "Mike West" <mk...@google.com> wrote:
>
> Will: We can't talk directly to net from Blink, I believe (or, a quick
> search for "net/" includes turned up nothing). But we could certainly
> put a platform API in and pipe things down from the content layer.
>
> Matt: Right. That's step three. Step one is to do the easy stuff that
> should be trivial, because I know I have time for that. Step two is to
> find time to design a solution to step three. :)
>
> Ryan: Why only check IP addresses? Wouldn't it be desirable to block
> internal names as well? Or have I misunderstood the purpose of those
> two methods?
>
The IP check is exact.
The name check is not, its a rough guess, and shouldn't be in the *blocking* path for security decisions, especially as new gTLDs are spun up weekly (and even if they were all preloaded for the next two years, based on a supposed ICANN approval list, it'd still only be a heuristic)
On Jul 30, 2014 9:50 AM, "Mike West" <mk...@google.com> wrote:
>
> Will: We can't talk directly to net from Blink, I believe (or, a quick
> search for "net/" includes turned up nothing). But we could certainly
> put a platform API in and pipe things down from the content layer.
>
> Matt: Right. That's step three. Step one is to do the easy stuff that
> should be trivial, because I know I have time for that. Step two is to
> find time to design a solution to step three. :)
>
> Ryan: Why only check IP addresses? Wouldn't it be desirable to block
> internal names as well? Or have I misunderstood the purpose of those
> two methods?
>The IP check is exact.
The name check is not, its a rough guess, and shouldn't be in the *blocking* path for security decisions, especially as new gTLDs are spun up weekly (and even if they were all preloaded for the next two years, based on a supposed ICANN approval list, it'd still only be a heuristic)
On Jul 31, 2014 5:12 AM, "'Mike West' via net-dev" <net...@chromium.org> wrote:
>
> On Thu, Jul 31, 2014 at 1:54 PM, Chris Bentzel <cben...@chromium.org> wrote:
> > Rather than teach Blink about private addresses, would it make sense
> > to pipe down a "Cancel requests which result in internal network
> > address" down to the network stack and have it take care of it? This
> > would cover both IP literals as well as hostnames that resolve to
> > internal addresses.
It sounds like a pretty specific, weird API to add to the URLRequest interface (presumably via LoadFlags). Is mixed content blocking really supposed to be dependent on host resolution?
>
> Doing this check in the network stack is appealing: it has the
> advantage of really knowing what IP address we're connecting to for a
> resource rather than just looking at the domain name and guessing. We
> could certainly pipe all that resolution down to Blink, but that seems
> excessive.
>
> What would Blink see if the request is cancelled? Right now, we have
> moderately decent error messages for mixed content blocking; if we
> introduce blocks for connections to private IPs, I'd like to be able
> to have similar notification for developers.
>
> > Do we have an idea of what this would break? For example, Spotify
> > installs a web server on localhost which pages retrieved over the
> > internet can interact with
> > (http://cgbystrom.com/articles/deconstructing-spotifys-builtin-http-server/).
>
> I know this approach will break some things that Pebble is doing (see
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0099.html
> for example). I imagine it will break Enterprise Use Cases(tm) as
> well. The difficulty is that Pebble's/Spotify's use case is more or
> less indistinguishable from someone poking at my router in unfortunate
> ways. I'd like to prevent that if at all possible.
>
> > Compat/Security tradeoff might be worth it though.
>
> I believe it is, but it's something that we'll have to keep an eye on
> and evaluate as we go.
>
> -mike
>
> --
> You received this message because you are subscribed to the Google Groups "net-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
> To post to this group, send email to net...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3Ddyb60q%2BecYL%2BkqC0PXCXGXSONCyZYohpONuP7OKzO7jw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3Ddyb60q%2BecYL%2BkqC0PXCXGXSONCyZYohpONuP7OKzO7jw%40mail.gmail.com.
On Jul 31, 2014 4:10 PM, "William Chan (陈智昌)" <will...@chromium.org> wrote:
> It sounds like a pretty specific, weird API to add to the URLRequest interface (presumably via LoadFlags). Is mixed content blocking really supposed to be dependent on host resolution?
According to the really clever guy who wrote https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch, yes.
-mike
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAA4WUYgZ9W%3DeU8xWN__GgshFRy40AR8RoeW27yfZ5ZbSJb_jnw%40mail.gmail.com.
WAT
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAA4WUYgZ9W%3DeU8xWN__GgshFRy40AR8RoeW27yfZ5ZbSJb_jnw%40mail.gmail.com.