Thus, we'd like to try to find a more general solution, and we'd love to get suggestions. One idea that we like is basically to provide a checkbox in Dev Tools to allow a developer to specify that this origin should be treated as secure temporarily. This would allow you to test on all platforms, albeit on Android you'd need to connect via ADB to get DevTools, but it seems that any non-trivial development on Android requires this anyway.
What are the community's thoughts? Do you have suggestions? Please don't suggest getting rid of the secure context requirement because, well, that's on the table :-)
As possibly less involved variant of that (adding a 'Developer Profile' mode would take quite a lot of UI), we could burn either URL scheme or a TLD (I believe .test is reserved?). And in DevTools, one could configure mappings like:
https://site1.my-test-site.com.test -> localhost:1234https://site2.my-test-site.com.test -> localhost:5678
We would speak to those ports over localhost + HTTP (not HTTPS), so no need to mess with certificates and such, but we'd act as if they were secure origins. Being in a separate TLD keeps the state from colliding with real origins, and one needs to go to DevTools to configure this at all. It also means you can test your site in setups that are closer to reality than http://localhost:1234. Maybe you have some wonky JS somewhere that explodes if window.location reports HTTPS.
On Thu, Jul 28, 2016 at 2:09 PM Ryan Sleevi <rsl...@chromium.org> wrote:On Thu, Jul 28, 2016 at 10:06 AM, Joel Weinberger <j...@chromium.org> wrote:Thus, we'd like to try to find a more general solution, and we'd love to get suggestions. One idea that we like is basically to provide a checkbox in Dev Tools to allow a developer to specify that this origin should be treated as secure temporarily. This would allow you to test on all platforms, albeit on Android you'd need to connect via ADB to get DevTools, but it seems that any non-trivial development on Android requires this anyway.That seems non-ideal, since one of the conditions of the flags is that you specify a profile-dir to avoid things like cache polution/MITM.
What are the community's thoughts? Do you have suggestions? Please don't suggest getting rid of the secure context requirement because, well, that's on the table :-)Have you considered a 'Developer Profile' mode, similar to Incognito Profile & normal user Profiles?A 'Developer Profile' mode could initialize 'as if' it was a new profile dir (that is, away from the user's profile), clearly indicate it was developer mode (and thus greater security risk, perhaps as a non-dismissible security warning that appears as part of/below the omnibox/chrome), but then allow things like DevTools-specified origins to be treated as secure.
Thus, we created the --unsafely-treat-insecure-origin-as-secure flag for developer testing (see Testing a Deprecated Powerful Feature for more info on using this flag).
That seems non-ideal, since one of the conditions of the flags is that you specify a profile-dir to avoid things like cache polution/MITM.Agreed. My proposal would definitely risk pollution issues. Maybe when you check that box we do a full clear of origin browsing data and history?
Have you considered a 'Developer Profile' mode, similar to Incognito Profile & normal user Profiles?A 'Developer Profile' mode could initialize 'as if' it was a new profile dir (that is, away from the user's profile), clearly indicate it was developer mode (and thus greater security risk, perhaps as a non-dismissible security warning that appears as part of/below the omnibox/chrome), but then allow things like DevTools-specified origins to be treated as secure.Cool idea! As David mentioned, it would probably be a very big UX change. What about only allowing the Dev Tools option in Incognito mode? I don't know if we have any precedence for that, but it seems doable (and much simpler).
On Thu, Jul 28, 2016 at 3:47 PM, Joel Weinberger <j...@chromium.org> wrote:That seems non-ideal, since one of the conditions of the flags is that you specify a profile-dir to avoid things like cache polution/MITM.Agreed. My proposal would definitely risk pollution issues. Maybe when you check that box we do a full clear of origin browsing data and history?Seems like a way to anger a lot of developers who accidentally do it. We'd also have to consider the integration of features like Sync or Autofill - should those entries be available in this mode? (My understanding, perhaps incorrectly, is that --user-data-dir avoids all of those concerns)
Have you considered a 'Developer Profile' mode, similar to Incognito Profile & normal user Profiles?A 'Developer Profile' mode could initialize 'as if' it was a new profile dir (that is, away from the user's profile), clearly indicate it was developer mode (and thus greater security risk, perhaps as a non-dismissible security warning that appears as part of/below the omnibox/chrome), but then allow things like DevTools-specified origins to be treated as secure.Cool idea! As David mentioned, it would probably be a very big UX change. What about only allowing the Dev Tools option in Incognito mode? I don't know if we have any precedence for that, but it seems doable (and much simpler).The concern with Incognito is that it'd still be different/distinct enough from normal browsing that it may or may not meet the right use cases. For example, the aforementioned Autofill (is requestAutoComplete still a thing? Maybe not?) or testing things like Service Worker (which may assume a backing disk cache to test over repeated visits, but Incognito would lack that)I fully admit to not having fully though the idea through. My suggestion was specifically trying to reduce "big UX changes" by having the Dev profile go through all the normal profile initialization code (e.g. not Incognito), but then trigger a toast (like we already do for dangerous command-line flags). I didn't think it'd be a very big UX change, so I'm sure there's a piece I'm missing.
Seems like a way to anger a lot of developers who accidentally do it. We'd also have to consider the integration of features like Sync or Autofill - should those entries be available in this mode? (My understanding, perhaps incorrectly, is that --user-data-dir avoids all of those concerns)Fair point. Personally, I don't think I'm as tied to the unique profile as you are. Dev Mode has plenty of foot guns as it is, so it doesn't seem crazy to me to put this in there.
On Thu, Jul 28, 2016 at 4:09 PM, Joel Weinberger <j...@chromium.org> wrote:Seems like a way to anger a lot of developers who accidentally do it. We'd also have to consider the integration of features like Sync or Autofill - should those entries be available in this mode? (My understanding, perhaps incorrectly, is that --user-data-dir avoids all of those concerns)Fair point. Personally, I don't think I'm as tied to the unique profile as you are. Dev Mode has plenty of foot guns as it is, so it doesn't seem crazy to me to put this in there.Mostly, I'm uneasy with the "clear all data" proposal, because it's much harder to enter that data on mobile.
If I wanted to test a single site on a device, it'd mean nuking all of my data and history. If we assume such developers have multiple Android/Chromebook devices (e.g. one for personal, one for development), this isn't so bad, but my gut tells me that the developers trying to test on Android are likely going to use their personal device they use for other things, and the idea of nuking all data in order to enable dev mode seems like... a very high price to pay. That's why I'm trying to find a solution that doesn't involve that sort of significant disruption.On Desktop, modifying the --user-data-dir doesn't force me to lose any of my other data; I can always remove the --user-data-dir and get back to 'my' profile. That also seems to be the principles between Canary (aka SxS).Just explaining the rationale, since it may not have been clear why I'm pretty uncomfortable with the idea of clearing data based on checking something in DevTools. I'm fairly certain it's clear that I feel strongly about the need to avoid corrupting 'user' state via 'insecure' mode though, so I'm not relitigating that :)
... I think devs often want to run tests on their real domains, albeit over HTTP. Frankly, I don't understand the reasoning, so maybe we don't care.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
On Thu, Jul 28, 2016 at 11:18 AM David Benjamin <davi...@chromium.org> wrote:As possibly less involved variant of that (adding a 'Developer Profile' mode would take quite a lot of UI), we could burn either URL scheme or a TLD (I believe .test is reserved?). And in DevTools, one could configure mappings like:
https://site1.my-test-site.com.test -> localhost:1234https://site2.my-test-site.com.test -> localhost:5678
We would speak to those ports over localhost + HTTP (not HTTPS), so no need to mess with certificates and such, but we'd act as if they were secure origins. Being in a separate TLD keeps the state from colliding with real origins, and one needs to go to DevTools to configure this at all. It also means you can test your site in setups that are closer to reality than http://localhost:1234. Maybe you have some wonky JS somewhere that explodes if window.location reports HTTPS.That sounds interesting, although for reasons I don't fully comprehend, I think devs often want to run tests on their real domains, albeit over HTTP. Frankly, I don't understand the reasoning, so maybe we don't care.
On Thu, Jul 28, 2016 at 6:48 PM Joel Weinberger <j...@chromium.org> wrote:On Thu, Jul 28, 2016 at 11:18 AM David Benjamin <davi...@chromium.org> wrote:As possibly less involved variant of that (adding a 'Developer Profile' mode would take quite a lot of UI), we could burn either URL scheme or a TLD (I believe .test is reserved?). And in DevTools, one could configure mappings like:
https://site1.my-test-site.com.test -> localhost:1234https://site2.my-test-site.com.test -> localhost:5678
We would speak to those ports over localhost + HTTP (not HTTPS), so no need to mess with certificates and such, but we'd act as if they were secure origins. Being in a separate TLD keeps the state from colliding with real origins, and one needs to go to DevTools to configure this at all. It also means you can test your site in setups that are closer to reality than http://localhost:1234. Maybe you have some wonky JS somewhere that explodes if window.location reports HTTPS.That sounds interesting, although for reasons I don't fully comprehend, I think devs often want to run tests on their real domains, albeit over HTTP. Frankly, I don't understand the reasoning, so maybe we don't care.If we're to consider that a constraint (which, I agree, seems a nonsense constraint, but I do not know the reasoning), we should definitely figure out the reason first, to see what we could provide with alternate mechanisms. That is a very strong constraint and I think basically forces the separate profile to keep the statefulness from going crazy.(I actually think having a separate profile would be by far the best option if feasible. But my recollection is the two platforms where --user-data-dir doesn't work, Android and CrOS, are also the two where multiprofile is wonky, so this might be involved. Or maybe I'm wrong and this is actually straightforward.)
Here's a idea: how about a source that's remote debugged is considered secure? It's very easy on any desktop to run chrome/chromium and remote debug on a connected Android device. This constellation would allow to "run as secure" since it requires debugging mode and USB connection - if that's not secure you have a problem to begin with :-)
Just a thought
I know very little about Android and remote debugging, but that doesn't sound like a bad idea. Any Android-y folks out there have thoughts on this?
It'd have to be an option that you specifically enable in devtools, rather than something that happened automatically while debugging.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
... it's not that difficult now with Let's Encrypt and it makes development and testing much more like production.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
PS: If websites ask to turn on debug features in your browser and you're stupid enough to do so you deserve what you get.
I was assuming if we added this feature to devtools we would add it on desktop for local debugging as well as remote, which makes it more likely someone could be encouraged to do it ill-advisedly. If it was only for remote debugging I agree it's unlikely, but I don't see why it should be; the problem isn't really that different between desktop and mobile.