What do you mean "Not any less secure"? It violated the privacy guarantees of HTTPS.
Yes, loading any resource over HTTP from an HTTPS sourced page is meant to cause a UI degredating. Even for things like favicons.
Prefetch is slightly different in that the source document doesn't actually incorporate the result into anything, so we neither break script nor break the promise that all pixels in the tab are authenticated.
We do, however, break the promise that the page can't compute a URL out of data private to that origin and send it over the network in the clear. Insofar as that was a promise anyway; they could convince the user to click a link or a.click() in JS. User needn't even notice the document changing because the HTTP resource might just return 204.
Unless we plan to tighten that which seems difficult to make sound and compatible, I'd actually lean towards saying mixed content for prefetch is not inherently insane. So it's the question of whether the deprecated use case of optimizing plain HTTP is worth the minor complexity of a mixed content carve out for prefetch.
Prefetch is slightly different in that the source document doesn't actually incorporate the result into anything, so we neither break script nor break the promise that all pixels in the tab are authenticated.
We do, however, break the promise that the page can't compute a URL out of data private to that origin and send it over the network in the clear. Insofar as that was a promise anyway; they could convince the user to click a link or a.click() in JS. User needn't even notice the document changing because the HTTP resource might just return 204.
I believe the current behavior, of treating prefetched HTTP stuff as
mixed-content, is correct.
* A plaintext request was sent, possibly including cookies or other
authenticators, and leaking information about the person's browsing
habits
* Cybervillains may have injected an eeeeevil response (do we parse
prefetched stuff immediately)?
* If prefetch is useful, and it is, it's because the origin is about
to use that prefeteched resource very soon, in which case mixed
content policy definitely applies
On Fri, Apr 17, 2015 at 8:36 AM, David Benjamin <davi...@chromium.org> wrote:Prefetch is slightly different in that the source document doesn't actually incorporate the result into anything, so we neither break script nor break the promise that all pixels in the tab are authenticated.
I want to be careful here - it's not simply the promise that all pixels are authenticated, but that confidentiality has been maintained.
We do, however, break the promise that the page can't compute a URL out of data private to that origin and send it over the network in the clear. Insofar as that was a promise anyway; they could convince the user to click a link or a.click() in JS. User needn't even notice the document changing because the HTTP resource might just return 204.
I think it's worth distinguishing whether there was a direct user action. prefetch is the author choosing to violate the user's privacy, clicking a link (in as much as we can blame the user) is a choice of the user action.
Alternatively, since an adversarial author is unrealistic, we can give up on treating the confidentiality aspect as a promise to the user. Instead, it's an attempt to catch common authoring bugs. So now we're less talking about whether <link rel=prefetch> breaks a security policy (because nothing it breaks is a policy we enforce) and more whether this is an acceptable use case or a bug we want to proactively guard against.
If used to predict a navigation, I think this is a perfectly acceptable use case. If used to predict a subresource of the current document, this is clearly a bug. So the question is: is the former use case worth not guarding against the latter bug?
So now we're less talking about whether <link rel=prefetch> breaks a security policy (because nothing it breaks is a policy we enforce) and more whether this is an acceptable use case or a bug we want to proactively guard against.
If used to predict a navigation, I think this is a perfectly acceptable use case. If used to predict a subresource of the current document, this is clearly a bug. So the question is: is the former use case worth not guarding against the latter bug?
On Apr 27, 2015 6:51 AM, "Chris Bentzel" <cben...@chromium.org> wrote:
>
> Are there any updates on thoughts here? If there is any interest in exempting prefetch from mixed-content it would be great to incorporate the changes. I personally think it should be exempt, but understand reasons for why it is included.
>
> Also - if we decide that prefetch of http resources from https pages is treated as mixed-content, would the same also apply to prefetching of https resources from https pages since passive observers could still view DNS requests and SNI in the https handshake?
>
That latter question comes up every few quarters with respect to prefetch and HTTPS. There's an inherent tension about whether or not it is akin to a "master password" - that is, a change that gives users the appearance of security without actually securing them.
The argument for (restricting) is that it is obviously a privacy leak. The argument against is that other leaks exist for passive attackers that have large scale statistical capabilities, some of which cannot be restricted solely by the UA, ergo in either event, we require the server to cooperate in the privacy preservation.
A server that does not cooperate - that uses prefetch, that doesn't mask traffic analysis, that embeds mixed optionally block able content - is a layer 8 problem, not layer 7.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
On Tue, Apr 28, 2015, 2:51 PM Chris Palmer <pal...@google.com> wrote:
I prefer the latter.
(Did we already talk about the possibility of upgrading HTTP prefetches from HTTTPS contexts to HTTPS?)
Not that I'm aware of - but not really sure this is a great approach particularly if subsequent requests are just to the http origin (and hence won't match what got prefetched).
In related news, took a first run at "Security and Privacy" section for Resource Hints (preconnect, prefetch, prerender):