Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/feature/5669008342777856
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
-mike
is it possible to factor out the image loads?
what sites are using this for non-image loads?
On Mon, Jan 23, 2017 at 12:13 PM Mike West <mk...@chromium.org> wrote:
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
-mike
I'll totally lgtm1 this while freezing outside of the office...
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
-mike
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
This seems a little ambiguous with respect to images -- will images continue to ignore the credentials in the URL and thus behave differently from other subresources? Or will it change the image behaviour and potentially break them?
Can you open a spec issue somewhere (just Fetch again?) so we can get some standards discussion (and an appropriate PR) going on this?It seems reasonable to me, but in general I think it's best if we break long-standing behavior like this as a step in a consensus process including updating specs, web-platform-tests and aligning with other implementations.
-mike
On Tue, Jan 24, 2017 at 7:51 AM, Mike West <mk...@google.com> wrote:On Mon, Jan 23, 2017 at 8:34 PM, Rick Byers <rby...@chromium.org> wrote:Can you open a spec issue somewhere (just Fetch again?) so we can get some standards discussion (and an appropriate PR) going on this?It seems reasonable to me, but in general I think it's best if we break long-standing behavior like this as a step in a consensus process including updating specs, web-platform-tests and aligning with other implementations.Indeed. I put up a PR at https://github.com/whatwg/fetch/pull/465 and pinged a few folks.Regarding "long standing", https://support.microsoft.com/en-us/help/834489/internet-explorer-does-not-support-user-names-and-passwords-in-web-site-addresses-http-or-https-urls suggests that MS hasn't supported the embedded credentials syntax since at least 2011. +elawrence, who probably has historical context.Thanks. OK if we give the discussion on that PR a few days to shake out before making a decision? If there's no major objection from other implementors on the big-picture change, then I'm personally OK landing the removal and continuing the spec work in parallel.
We should probably do a deprecation warning for one milestone before removal. Would you want to try to get that merged back to 57, or best case just deprecation in 58 and remove in 59?
Is there anything in particular that needs to happen to make progress on https://github.com/whatwg/fetch/pull/465?
The usage here isn't entirely negligible. In https://bigquery.cloud.google.com:443/savedquery/762219082167:efe9306ff8b14209a7d9eb2111a9c71b I queried for sites that are hitting this use counter:
Mike, could you try the change locally and check how these are affected? This is probably a somewhat representative sample of the problem. (1 NSFW redacted.)
On Tue, Feb 7, 2017 at 7:03 AM, Philip Jägenstedt <foo...@chromium.org> wrote:This loads an image with a username, but doesn't actually require the username to load. In this case, a weaker variant of the deprecation that simply ignored the username/password would be effective. I'm a little worried about doing that because I think it's more likely to be confusing to developers than simply blocking the load, but it's worth considering.
It looks like there's a live-ticker on this page that uses basic auth for some reason. These requests would be broken.This page has real breakage, as they're using a username of `true` for resources that don't need basic auth. This looks like a simple typo in their JavaScript... I'll see if I can find someone to poke at (their "contact" form requires a user account, and my Korean is... well... bad.)
Thanks Mike, LGTM3
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
document.execCommand(
"ClearAuthenticationCache"
).
Could something similar be introduced?Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
This update is causing us issues with sites protected by basic auth that have relative subresource requests. It happens when we include the username and password in the url (typically for automated testing). In this case, the initial request is fine, but since the subsequent resources end up including the username/password, they are rejected. Is it possible to treat relative subresources differently?For example, this would fail to load the css file when protected
<link href="/theme.css" rel="stylesheet">
On Monday, January 23, 2017 at 3:13:55 AM UTC-8, Mike West wrote:
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hunter2@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/feature/5669008342777856
-mike
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/99203600-1f45-4461-89ad-da02bd21643a%40chromium.org.
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
I do not think that was supposed to happen. This intent blocks request that originated from src or href with embedded credentials. It is not about blocking subresource requests to which the browser added the credentials automatically.So, a page at http://a:a...@b.com that has a stylesheet reference, <link rel=stylesheet href=http://a:a...@b.com/style.css> should fail, but a page at http://a:a...@b.com that has a stylesheet reference, <link rel=stylesheet href=style.css> should succeed (it might trigger an error 403, but I think the browser would automatically use the credentials of the page for the same origin), unless I am misunderstanding the intent.You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.You can reply with a link to the found or created issue and might get triaged (and fixed) faster.Thank you.
☆PhistucK
On Fri, Jun 9, 2017 at 10:42 PM, <samuel...@gmail.com> wrote:
This update is causing us issues with sites protected by basic auth that have relative subresource requests. It happens when we include the username and password in the url (typically for automated testing). In this case, the initial request is fine, but since the subsequent resources end up including the username/password, they are rejected. Is it possible to treat relative subresources differently?For example, this would fail to load the css file when protectedindex.html
<link href="/theme.css" rel="stylesheet">
On Monday, January 23, 2017 at 3:13:55 AM UTC-8, Mike West wrote:
Primary eng (and PM) emails
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/bAMVnc1Zyvs/M3VnxbYPBC0J (which I neglected to follow up on for over 2 years... *sigh*)
Summary
I'd like to block requests for subresources that contain embedded credentials (e.g. "http://ima_user:hun...@example.com/yay.tiff"). Such resources would be handled as network errors.
We've taken steps in this direction in the past (see the discussion in https://bugs.chromium.org/p/chromium/issues/detail?id=174179 and https://bugs.chromium.org/p/chromium/issues/detail?id=303046). My hope is that usage has decreased in the last ~2 years to the point where it makes sense to try again.
Motivation
Hard-coding credentials into subresource requests is a) crazypants, b) problematic from a security perspective, as it's allowed folks to brute-force credentials in the past. These dangers are exacerbated for credentialed subresource requests that reach into internal IP ranges (your routers, etc). Given the low usage, closing this (small) security hole seems quite reasonable.
Compatibility And Interoperability Risk
Other browsers generally support embedded credentials in subresources. Based on offhand conversations with folks in WebAppSec meetings, my subjective impression is that this isn't a very popular feature, and that we'd be able to get other browser vendors on board if we're successful this time around.
Alternative implementation suggestion for web developers
Developers can embed resources that do not require basic/digest auth, relying instead on cookies and other session management mechanisms.
Usage information from UseCounter
Generally, we've been on a downward slide since we added metrics at the end of 2014: https://www.chromestatus.com/metrics/feature/timeline/popularity/532. Over the 28 days, usage was 0.0012% of page views. That's not huge, but it's not nothing.
The number also includes image requests, even though we've been ignoring the embedded username/password for those requests since ~2013.
The spike between the end of September and the beginning of December is super-weird, but also seems to have subsided.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/feature/5669008342777856
-mike
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
This update is causing us issues with sites protected by basic auth that have relative subresource requests. It happens when we include the username and password in the url (typically for automated testing). In this case, the initial request is fine, but since the subsequent resources end up including the username/password, they are rejected. Is it possible to treat relative subresources differently?For example, this would fail to load the css file when protected