From f083f8cd110800c3fa95d7caab2a107a867dc998 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 29 May 2020 17:58:47 +0900 Subject: [PATCH 1/7] Define "Request URL serialization for reporting" This is a preliminary change for COEP merging to HTML and fetch specs. We will use the serialization multiple times both in the HTML spec and the fetch spec, so defining the operation here will be benefitial. --- fetch.bs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/fetch.bs b/fetch.bs index 016dc95cc..819eebf13 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1772,6 +1772,26 @@ source of security bugs. Please seek security review for features that deal with +

To serialize a request URL +for reporting, given a request request, run these steps: + +

    +
  1. +

    Let url be a copy of request's URL. + +

    This is not request's current URL in order to avoid + leaking information about redirect targets (see + similar considerations + for CSP reporting too). + +

  2. Set the username given url and the empty string. + +

  3. Set the password given url and the empty string. + +

  4. Return url serializedwith the + exclude fragment flag set. +

+

Responses

The result of fetch is a From db9fbcd975d8d3138f87ddfb9a7570302909ed9a Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Mon, 1 Jun 2020 18:54:32 +0900 Subject: [PATCH 2/7] # This is a combination of 2 commits. # This is the 1st commit message: # This is a combination of 23 commits. # This is the 1st commit message: Integrate CORP and COEP This is part of the introduction of COEP (https://github.com/whatwg/html/pull/5454). The CORP check now takes COEP into account. Also, responses coming from service workers are checked. # This is the commit message #2: Update fetch.bs Co-authored-by: Domenic Denicola # This is the commit message #3: Update fetch.bs Co-authored-by: Domenic Denicola # This is the commit message #4: fix # This is the commit message #5: fix # This is the commit message #6: fix # This is the commit message #7: fix # This is the commit message #8: fix # This is the commit message #9: fix # This is the commit message #10: fix # This is the commit message #11: fix # This is the commit message #12: fix # This is the commit message #13: fix # This is the commit message #14: fix # This is the commit message #15: fix # This is the commit message #16: fix # This is the commit message #17: fix # This is the commit message #18: Update fetch.bs Co-authored-by: Anne van Kesteren # This is the commit message #19: Update fetch.bs Co-authored-by: Anne van Kesteren # This is the commit message #20: fix # This is the commit message #21: fix # This is the commit message #22: fix # This is the commit message #23: fix # This is the commit message #2: fix --- fetch.bs | 198 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 139 insertions(+), 59 deletions(-) diff --git a/fetch.bs b/fetch.bs index 819eebf13..96dad70c9 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1751,14 +1751,17 @@ source of security bugs. Please seek security review for features that deal with

-

To serialize a request URL for reporting, given a request -request, run these steps: +

To serialize a response URL for reporting, given a response +response, run these steps:

    +

  1. Assert: response's URL list is not empty. +

  2. -

    Let url be a copy of request's URL. +

    Let url be a copy of response's URL list's first + element. -

    This is not request's current URL in order to avoid +

    This is not response's URL in order to avoid leaking information about redirect targets (see similar considerations for CSP reporting too). [[CSP]] @@ -1772,26 +1775,6 @@ source of security bugs. Please seek security review for features that deal with

-

To serialize a request URL -for reporting, given a request request, run these steps: - -

    -
  1. -

    Let url be a copy of request's URL. - -

    This is not request's current URL in order to avoid - leaking information about redirect targets (see - similar considerations - for CSP reporting too). - -

  2. Set the username given url and the empty string. - -

  3. Set the password given url and the empty string. - -

  4. Return url serializedwith the - exclude fragment flag set. -

-

Responses

The result of fetch is a @@ -3167,23 +3150,54 @@ response header can be used to require checking a request< Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-origin" ; case-sensitive -

To perform a cross-origin resource policy check, given a request and -response, run these steps:

+

To perform a cross-origin resource policy check, given an origin +origin, an environment settings object settingsObject, a +response response, and an optional boolean forNavigation, run +these steps:

    -

  1. If request's mode is not "no-cors", then return - allowed. +

  2. Set forNavigation to false if it is not given. + +

  3. Let embedderPolicy be settingsObject's embedder policy.

  4. -

    If request's origin is same origin with - request's current URL's origin, then return - allowed. +

    If the cross-origin resource policy internal check with origin, + "unsafe-none", response, and forNavigation returns + blocked, then return blocked. -

    While redirects that carry a - `Cross-Origin-Resource-Policy` header are checked, redirects - without such a header resulting in response do not affect the outcome as the default is - allowed. - +

    This step is needed because we don't want to report violations not related to + Cross-Origin Embedder Policy below. + +

  5. If the cross-origin resource policy internal check with origin, + embedderPolicy's report only value, response, and forNavigation + returns blocked, then queue a cross-origin embedder policy CORP violation report + with response, settingsObject, and true. + +

  6. If the cross-origin resource policy internal check with origin, + embedderPolicy's value, response, and forNavigation returns + allowed, then return allowed. + +

  7. Queue a cross-origin embedder policy CORP violation report with response, + settingsObject, and false. + +

  8. Return blocked. +

+ +

Only HTML's navigate algorithm uses this check with +forNavigation set to true, and it's always for nested navigations. Otherwise, +response is either the internal response of an +opaque filtered response or a response which will be the +internal response of an +opaque filtered response. [[HTML]] + +

To perform a cross-origin resource policy internal check, given an +origin origin, an embedder policy value embedderPolicyValue, +a response response, and a boolean forNavigation, run these +steps: + +

    +

  1. If forNavigation is true and embedderPolicyValue is + "unsafe-none", then return allowed.

  2. Let policy be the result of getting @@ -3191,33 +3205,90 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or header list.

    This means that `Cross-Origin-Resource-Policy: same-site, same-origin` - ends up as allowed below as it will never match anything. Two or more + ends up as allowed below as it will never match anything, as long as + embedderPolicyValue is "unsafe-none". Two or more `Cross-Origin-Resource-Policy` headers will have the same effect. -

  3. If policy is `same-origin`, then return blocked. +

  4. If policy is neither `same-origin`, `same-site`, nor +`cross-origin`, then set policy to null. + +

  5. If policy is null and embedderPolicyValue is + "require-corp", then set policy to `same-origin`.

  6. -

    If the following are true +

    Switch on policy: -

    +
    +
    null +
    `cross-origin` +

    Return allowed. + +

    `same-origin` +
    +

    If origin is same origin with response's URL's + origin, then return allowed. -

    then return allowed. +

    Otherwise, return blocked. -

    This prevents HTTPS responses with - `Cross-Origin-Resource-Policy: same-site` from being accessed without secure - transport. +

    `same-site` +
    +

    If the following are true -

  7. If policy is `same-site`, then return blocked. +

    + +

    then return allowed. + +

    Otherwise, return blocked. + +

    `Cross-Origin-Resource-Policy: same-site` does not consider a + response delivered via a secure transport to match a non-secure requesting origin, + even if their hosts are otherwise same site. Securely-transported responses will only + match a securely-transported initiator. +

+

To queue a cross-origin embedder policy CORP violation report, given a +response response, an environment settings object +settingsObject, and a boolean reportOnly, run these steps: + +

    +

  1. Let endpoint be settingsObject's embedder policy's + report only reporting endpoint if the reportOnly is true and + settingsObject's embedder policy's reporting endpoint otherwise. + +

  2. Let serialized url be the result of + serializing a response URL for reporting with + response. + +

  3. +

    Let body be a new object containing the following properties: + + + + + + + + + + +
    key + value +
    "type" + "corp" +
    "blocked-url" + serialized url +
    + +

  4. Queue body as the "coep"report type for + endpoint on settingsObject. [[!REPORTING]] +

Fetching

@@ -3609,9 +3680,8 @@ optionally with a recursive flag, run these steps:

If internalResponse's URL list is empty, then set it to a clone of request's URL list. -

A response's URL list will typically be empty at - this point, unless it came from a service worker, in which case it will only be empty if it was - created through new Response(). +

A response's URL list can be empty when it's for + "about" URLs for example. @@ -3981,6 +4051,17 @@ optional CORS-preflight flag, run these steps: then set request's timing allow failed flag. +

  • +

    If request's response tainting is "opaque" + and the cross-origin resource policy check with request's + origin, request's client, and + actualResponse returns blocked, then return a network error. + +

    The cross-origin resource policy check runs for responses coming from the + network and responses coming from the service worker. This is different from the + CORS check. This is because request's client and the + service worker can have different embedder policies. +

  • If actualResponse's status is a redirect status, then: @@ -4533,13 +4614,12 @@ Range Requests. [[HTTP-RANGE]] However, this is not widely supported by b +

  • Set response's URL list to a clone of + httpRequest's URL list. +

  • If httpRequest's header list contains `Range`, then set response's range-requested flag. -

  • If httpRequest's response tainting is not "cors" - and the cross-origin resource policy check with request and response - returns blocked, then return a network error. -

  • If response's status is 401, httpRequest's response tainting is not "cors", the From e8b90f8f2443b335d2d1ae9dec93829640337083 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Thu, 25 Jun 2020 14:18:54 +0900 Subject: [PATCH 3/7] fix --- fetch.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 96dad70c9..a814f69f3 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3680,8 +3680,8 @@ optionally with a recursive flag, run these steps:

    If internalResponse's URL list is empty, then set it to a clone of request's URL list. -

    A response's URL list can be empty when it's for - "about" URLs for example. +

    A response's URL list can be empty (for example, + when the response represents an about URL). From 1ca20a9606337fd52252b4638b8082952960e78c Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 26 Jun 2020 14:05:25 +0900 Subject: [PATCH 4/7] fix --- fetch.bs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/fetch.bs b/fetch.bs index a814f69f3..c96355051 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3158,11 +3158,11 @@ these steps:

    1. Set forNavigation to false if it is not given. -

    2. Let embedderPolicy be settingsObject's embedder policy. +

    3. Let embedderPolicy be settingsObject's embedder policy.

    4. If the cross-origin resource policy internal check with origin, - "unsafe-none", response, and forNavigation returns + "unsafe-none", response, and forNavigation returns blocked, then return blocked.

      This step is needed because we don't want to report violations not related to @@ -3191,13 +3191,13 @@ these steps: opaque filtered response. [[HTML]]

      To perform a cross-origin resource policy internal check, given an -origin origin, an embedder policy value embedderPolicyValue, +origin origin, an embedder policy value embedderPolicyValue, a response response, and a boolean forNavigation, run these steps:

      1. If forNavigation is true and embedderPolicyValue is - "unsafe-none", then return allowed. + "unsafe-none", then return allowed.

      2. Let policy be the result of getting @@ -3206,14 +3206,14 @@ steps:

        This means that `Cross-Origin-Resource-Policy: same-site, same-origin` ends up as allowed below as it will never match anything, as long as - embedderPolicyValue is "unsafe-none". Two or more + embedderPolicyValue is "unsafe-none". Two or more `Cross-Origin-Resource-Policy` headers will have the same effect.

      3. If policy is neither `same-origin`, `same-site`, nor `cross-origin`, then set policy to null.

      4. If policy is null and embedderPolicyValue is - "require-corp", then set policy to `same-origin`. + "require-corp", then set policy to `same-origin`.

      5. Switch on policy: @@ -3258,9 +3258,9 @@ steps: settingsObject, and a boolean reportOnly, run these steps:

          -

        1. Let endpoint be settingsObject's embedder policy's - report only reporting endpoint if the reportOnly is true and - settingsObject's embedder policy's reporting endpoint otherwise. +

        2. Let endpoint be settingsObject's embedder policy's + report only reporting endpoint if reportOnly is true and + settingsObject's embedder policy's reporting endpoint otherwise.

        3. Let serialized url be the result of serializing a response URL for reporting with @@ -3286,7 +3286,7 @@ steps: -

        4. Queue body as the "coep"report type for +

        5. Queue body as the "coep" report type for endpoint on settingsObject. [[!REPORTING]]

        From 37b2bdb843f4f8ee2daa20e087473737e4b9b509 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 26 Jun 2020 14:34:29 +0900 Subject: [PATCH 5/7] fix --- fetch.bs | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/fetch.bs b/fetch.bs index c96355051..a4541292d 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3158,12 +3158,13 @@ these steps:

        1. Set forNavigation to false if it is not given. -

        2. Let embedderPolicy be settingsObject's embedder policy. +

        3. Let embedderPolicy be settingsObject's + embedder policy.

        4. If the cross-origin resource policy internal check with origin, - "unsafe-none", response, and forNavigation returns - blocked, then return blocked. + "unsafe-none", response, and + forNavigation returns blocked, then return blocked.

          This step is needed because we don't want to report violations not related to Cross-Origin Embedder Policy below. @@ -3191,9 +3192,9 @@ these steps: opaque filtered response. [[HTML]]

          To perform a cross-origin resource policy internal check, given an -origin origin, an embedder policy value embedderPolicyValue, -a response response, and a boolean forNavigation, run these -steps: +origin origin, an embedder policy value +embedderPolicyValue, a response response, and a boolean +forNavigation, run these steps:

          1. If forNavigation is true and embedderPolicyValue is @@ -3206,14 +3207,16 @@ steps:

            This means that `Cross-Origin-Resource-Policy: same-site, same-origin` ends up as allowed below as it will never match anything, as long as - embedderPolicyValue is "unsafe-none". Two or more - `Cross-Origin-Resource-Policy` headers will have the same effect. + embedderPolicyValue is "unsafe-none". + Two or more `Cross-Origin-Resource-Policy` headers will have the + same effect.

          2. If policy is neither `same-origin`, `same-site`, nor -`cross-origin`, then set policy to null. + `cross-origin`, then set policy to null.

          3. If policy is null and embedderPolicyValue is - "require-corp", then set policy to `same-origin`. + "require-corp", then set policy to + `same-origin`.

          4. Switch on policy: @@ -3258,9 +3261,11 @@ steps: settingsObject, and a boolean reportOnly, run these steps:

              -

            1. Let endpoint be settingsObject's embedder policy's +

            2. Let endpoint be settingsObject's + embedder policy's report only reporting endpoint if reportOnly is true and - settingsObject's embedder policy's reporting endpoint otherwise. + settingsObject's embedder policy's + reporting endpoint otherwise.

            3. Let serialized url be the result of serializing a response URL for reporting with From 1e45ecd346cc93ab6a254d4dfe00b88276ee3570 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 26 Jun 2020 15:03:22 +0900 Subject: [PATCH 6/7] fix --- fetch.bs | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/fetch.bs b/fetch.bs index a4541292d..6bc605a90 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3170,13 +3170,14 @@ these steps: Cross-Origin Embedder Policy below.

            4. If the cross-origin resource policy internal check with origin, - embedderPolicy's report only value, response, and forNavigation - returns blocked, then queue a cross-origin embedder policy CORP violation report - with response, settingsObject, and true. + embedderPolicy's report only value, response, + and forNavigation returns blocked, then + queue a cross-origin embedder policy CORP violation report with response, + settingsObject, and true.

            5. If the cross-origin resource policy internal check with origin, - embedderPolicy's value, response, and forNavigation returns - allowed, then return allowed. + embedderPolicy's value, response, and + forNavigation returns allowed, then return allowed.

            6. Queue a cross-origin embedder policy CORP violation report with response, settingsObject, and false. @@ -4057,15 +4058,16 @@ optional CORS-preflight flag, run these steps:

          5. -

            If request's response tainting is "opaque" - and the cross-origin resource policy check with request's - origin, request's client, and - actualResponse returns blocked, then return a network error. +

            If either request's response tainting or response's + type is "opaque", and the + cross-origin resource policy check with request's origin, + request's client, and actualResponse returns + blocked, then return a network error.

            The cross-origin resource policy check runs for responses coming from the network and responses coming from the service worker. This is different from the - CORS check. This is because request's client and the - service worker can have different embedder policies. + CORS check, as request's client and the service worker can + have different embedder policies.

          6. If actualResponse's status is a redirect status, then: From ea40eaf0d71e949373eafe6652b32fd1e86eb152 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 26 Jun 2020 16:13:46 +0900 Subject: [PATCH 7/7] fix --- fetch.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/fetch.bs b/fetch.bs index 6bc605a90..6dd75f6a7 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3297,6 +3297,7 @@ these steps:

          +

          Fetching