Intent to Deprecate and Remove: Same-origin blanket enforcement in CSPEE

207 views
Skip to first unread message

Jun Kokatsu

unread,
Sep 28, 2023, 8:24:11 PM9/28/23
to blink-dev
Contact emails

jkok...@google.com


Explainer

None


Specification

https://github.com/w3c/webappsec-cspee/pull/28/files


Summary

Removes a special treatment for same-origin iframes from CSP Embedded Enforcement. This aligns the behavior of enforcing CSP Embedded Enforcement for cross-origin iframes and same-origin iframes.



Blink component

Blink>SecurityFeature>ContentSecurityPolicy


Motivation

The same-origin blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed an attack which was not possible before (example).


Additionally, this caused a bug where CSP nonce value enforced by CSPEE from a top frame had to exactly match nonce value served in grand-child frame, if the top frame and child frame are cross-origin, but child frame and grand-child frame are same-origin.


Given this part of blanket enforcement is rarely used (~0.000017%), let's remove this logic.



Initial public proposal

None


TAG review

None


TAG review status

Not applicable


Risks

Interoperability and Compatibility

None



Gecko: Positive


WebKit: No signal


Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

Yes


Flag name on chrome://flags

None


Finch feature name

None


Non-finch justification

None


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1263288


Estimated milestones

M120



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5098158594195456


Yoav Weiss

unread,
Oct 4, 2023, 6:38:30 AM10/4/23
to blink-dev, Jun Kokatsu
LGTM1

Usage seems low enough to make this safe still.

Mike Taylor

unread,
Oct 6, 2023, 11:00:00 AM10/6/23
to Yoav Weiss, blink-dev, Jun Kokatsu

LGTM2

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org.

Mike Taylor

unread,
Oct 6, 2023, 11:00:56 AM10/6/23
to Yoav Weiss, blink-dev, Jun Kokatsu

Also, please request cross-functional review bits in the chromestatus entries.

chrishtr via Chromestatus

unread,
Oct 13, 2023, 1:32:43 PM10/13/23
to blin...@chromium.org
LGTM

Mike Taylor

unread,
Oct 13, 2023, 2:50:43 PM10/13/23
to chrishtr via Chromestatus, blin...@chromium.org

LGTM2

On 10/13/23 1:32 PM, chrishtr via Chromestatus wrote:
LGTM
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages