More CORB-protected MIME types - adding protected types one-by-one. #860
Comments
|
Not sure how to assign "topic:corb" and "security/privacy" labels to this issue... :-/ |
ricea
added
security/privacy
|
Adding more types sounds good. Doing it based on the We should definitely define how all of that works. I hope to have time later this year to revamp the MIME Sniffing specification a little so it's a bit more apparent what kind of architecture we need/have (though if someone else wants to take that on that'd be great too). I'd basically try to add as many types as possible. We can add whatever cannot normally be loaded or parsed via I do think it would be nice if we could switch the error handling as per #727. Currently CORB sticks out a bit and I don't think it's needed, even though the change would be somewhat observable. At that point it wouldn't really be different from blocking |
Hmmm... maybe this could be approached by changing how Fetch spec describes handling of "Cross-Origin-Resource-Policy" header (i.e. approaching this as tweaking CORP rather than tweaking CORB). CORP already results in errors. We could add new steps between steps 2 and 3 (after checking that this is a cross-origin, no-cors request) saying:
Tweaking CORP might also be easier implementation-wise (at least from Chromium perspective) than tweaking CORB. WDYT?
So, should we just use this issue to brainstorm which types to protect? Or should we just try application/pdf for now (and see if anything breaks once it reaches more users)? Various notes on this subject:
So, personally, I would like to just start with |
|
I meant changing the error handling for CORB in general. I think what you suggest works, but it's not clear to me that's the architecture we want to have for this long term. |
Ack. Maybe this deserves its own, small section in the spec (i.e. something separate from both CORB and CORP). One question here would be what to call this hypothetical section - "Blocking of cross-origin responses with content types that are never useful in no-cors requests" (BoCORwCTTANUiNCR)? |
|
BTW: I have tried to look at HTTP Archive data to see which I think we should consider adding more protection for the following types (ordered roughly in the order of how frequently they occur in the wild, with most common types listed first):
|
|
cc @evilpie |
This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe
This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Łukasz Anforowicz <[email protected]> Cr-Commit-Position: refs/heads/master@{#663824}
This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Łukasz Anforowicz <[email protected]> Cr-Commit-Position: refs/heads/master@{#663824}
… x-www-form-urlencoded., a=testonly Automatic update from web-platform-tests CORB should block event-stream, gzip and x-www-form-urlencoded. This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Łukasz Anforowicz <[email protected]> Cr-Commit-Position: refs/heads/master@{#663824} -- wp5At-commits: 4308b47e147274f6702a0c1add77488fbc75a309 wpt-pr: 17006
… x-www-form-urlencoded., a=testonly Automatic update from web-platform-tests CORB should block event-stream, gzip and x-www-form-urlencoded. This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Łukasz Anforowicz <[email protected]> Cr-Commit-Position: refs/heads/master@{#663824} -- wp5At-commits: 4308b47e147274f6702a0c1add77488fbc75a309 wpt-pr: 17006
This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Łukasz Anforowicz <[email protected]> Cr-Commit-Position: refs/heads/master@{#663824}
… x-www-form-urlencoded., a=testonly Automatic update from web-platform-tests CORB should block event-stream, gzip and x-www-form-urlencoded. This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <creischromium.org> Commit-Queue: Łukasz Anforowicz <lukaszachromium.org> Cr-Commit-Position: refs/heads/master{#663824} -- wp5At-commits: 4308b47e147274f6702a0c1add77488fbc75a309 wpt-pr: 17006 UltraBlame original commit: 2c70fb58e7267888692dce4121614c1240f470d4
… x-www-form-urlencoded., a=testonly Automatic update from web-platform-tests CORB should block event-stream, gzip and x-www-form-urlencoded. This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <creischromium.org> Commit-Queue: Łukasz Anforowicz <lukaszachromium.org> Cr-Commit-Position: refs/heads/master{#663824} -- wp5At-commits: 4308b47e147274f6702a0c1add77488fbc75a309 wpt-pr: 17006 UltraBlame original commit: 2c70fb58e7267888692dce4121614c1240f470d4
… x-www-form-urlencoded., a=testonly Automatic update from web-platform-tests CORB should block event-stream, gzip and x-www-form-urlencoded. This CL adds CORB coverage for: 1) text/event-stream, application/x-www-form-urlencoded, based on the code review discussion in a previous CL here: https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227 2) application/gzip, which wasn't mentioned explicitly in the CR discussion above, but which is ranked #212 in the spreadsheet mentioned in whatwg/fetch#860 (comment) and therefore probably should have been included in r659671 together with x-gzip (ranked #54) and zip (ranked #71). Bug: 802836 Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809 Reviewed-by: Charlie Reis <creischromium.org> Commit-Queue: Łukasz Anforowicz <lukaszachromium.org> Cr-Commit-Position: refs/heads/master{#663824} -- wp5At-commits: 4308b47e147274f6702a0c1add77488fbc75a309 wpt-pr: 17006 UltraBlame original commit: 2c70fb58e7267888692dce4121614c1240f470d4
|
I've just discovered the work happening here and I must say I'm enamored. Securing the web and the user space/s outside of the web while ensuring user privacy is essential. If I may suggest an additional MIME type for consideration: |
|
@mozdevcontrib, thanks for chiming in. Interestingly application/pgp* prefix does not show up in the HTTP-archive-based sheet. Still, adding |
|
👍🏼 Awesome.
~intr0 Ⓐ Sent from ProtonMail Professional
…On Thu, Jan 16, 2020 at 14:46, Lukasz Anforowicz ***@***.***> wrote:
***@***.***(https://github.com/mozdevcontrib), thanks for chiming in. Interestingly application/pgp* prefix does not show up in the HTTP-archive-based [sheet](https://docs.google.com/spreadsheets/d/1lDorJzFizwgbLuTHL6-HZKTMXG67vlN8OB-ttjQ4ib0). Still, adding application/pgp-signature (and application/pgp-encrypted and application/pgp-keys from [rfc3156](https://tools.ietf.org/html/rfc3156) or maybe even all of application/pgp*) sounds like a good idea. We probably should also consider multipart/signed (or maybe all of multipart/*) and application/pkcs7-signature. Let me track that from Chromium side in https://crbug.com/1042836.
—
You are receiving this because you were mentioned.
Reply to this email directly, [view it on GitHub](#860?email_source=notifications&email_token=AL324UXG3LPB2GY5WNGAH63Q6C2P7A5CNFSM4GRDKKJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJFJTBQ#issuecomment-575314310), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AL324URCBRH7VMWPZ5L4LMLQ6C2P7ANCNFSM4GRDKKJA).
|
|
@mozdevcontrib, could you clarify why it is desirable to prevent disclosing I understand that in
|
|
@annevk, can you please provide feedback whether we might want to move forward with making spec changes here? (#860 (comment) seemed supportive if we treat error handling as an orthogonal discussion.) We could wait until we have tried experimenting with ORB / safelist-based approach, but maybe adding extra MIME types to the spec makes sense? How would the spec changes look like?:
FWIW, WPT tests (at
Additionally, CORB in Chromium recognizes:
I am not sure if we'd want to include all of these types in the spec - we'd probably need to agree on the set of types to include, before proceeding with any spec changes. |
|
@anforowicz I could see https://github.com/annevk/orb having an early step to check mimeType's essence for one of those types (edit: in my mind, the more types the merrier) and then return false, which would then result in a network error. I would be supportive of adding that behavior to the specification. It would be similar to the existing MIME type blocking but for opaque responses only. |
|
As we've been discussing this as part of ORB (see annevk/orb@6268458 and annevk/orb@282c8ff), this will eventually be resolved through #1442. It doesn't seem worth it to keep this issue open separately at this point. |
In #721 we have been discussing how to extend CORB to other types using a "safelist" approach (e.g. attempting to protect/block everything that is not a "safelisted" content type like an image, stylesheet, script, etc). The "safelist" (e.g. the 2 flavours pointed out in #721 (comment)) seems like the right long-term approach, but it seems very unfortunate that some sensitive content types are not protected in the short-term. For example - it seems very desirable to protect PDF documents as they are likely to contain sensitive information (e.g. financial statements).
I think I would like to just go ahead and add protection of "application/pdf" to Chromium's CORB implementation (with no sniffing). Does that seem reasonable to all of you? If I hear no objections, then I'll try to work on that (implementation + WPT coverage) and possibly adding that mime type to https://fetch.spec.whatwg.org/#corb later on.
Do you have any suggestions for how to decide on additional types that should be protected by CORB? PDF seems like an important one, but hopefully such types can be identified in a structured way (rather than unilaterally and possibly incorrectly deciding that PDF is important but ZIP and CSV maybe not so much). I wonder if there are public data sources that have statistics on the most commonly used MIME types on the web (I couldn't find this after a cursory glance at https://archive.org/).
cc @annevk @csreis @jakearchibald
The text was updated successfully, but these errors were encountered: