You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While working on the per-frame changes in Chromium, I've realized that there's a bit of an edge case that (IMO) does something unexpected.
Suppose a document on site A embeds two iframes (siblings) on sites B and C. Both iframes call document.requestStorageAccess() and both calls resolve. Now, say iframe C makes a subresource request to a URL on site B. Will this request be credentialed?
As currently specified, yes, I think it will (though the spec is a little hand-wavy in this area). By assumption, the C iframe's environment has the has storage access bit set, so the HTTP-network-or-cache fetch algorithm and document.cookie algorithms will use the relevant storage-access permission grant to attach cookies to the request. But the request's top-level site (A) and URL (B) mean that the permission grant which is relevant to the request is the one keyed by <A, B>. This grant cannot possibly have been obtained by the C iframe. So the C iframe is benefiting from the grant that its sibling obtained, not the one that it obtained on its own.
To me, it would seem more consistent to say that a given embedded context can only get access to its own cookies. I.e., that the C iframe can only send credentialed requests to C, regardless of what other permission grants have been created under the same top-level site.
Let me know what you all think. I think making this change would be positive from a security standpoint, but I'm not sure if there are legitimate use cases that would be broken by this restriction.
The text was updated successfully, but these errors were encountered:
From a browser architecture perspective it's also somewhat lacking that the website process would be able to hold this kind of authoritative state, but that's probably more reasonable to gloss over.
Yeah it's somewhat implied that fetch or the cookie store would do a same-site check between the request url origin and the embedded site, but I agree that this isn't clear enough. From my perspective I'd welcome a PR to that effect :)
While working on the per-frame changes in Chromium, I've realized that there's a bit of an edge case that (IMO) does something unexpected.
Suppose a document on site A embeds two iframes (siblings) on sites B and C. Both iframes call
document.requestStorageAccess()
and both calls resolve. Now, say iframe C makes a subresource request to a URL on site B. Will this request be credentialed?As currently specified, yes, I think it will (though the spec is a little hand-wavy in this area). By assumption, the C iframe's environment has the
has storage access
bit set, so theHTTP-network-or-cache fetch
algorithm anddocument.cookie
algorithms will use the relevantstorage-access
permission grant to attach cookies to the request. But the request's top-level site (A
) and URL (B
) mean that the permission grant which is relevant to the request is the one keyed by<A, B>
. This grant cannot possibly have been obtained by the C iframe. So the C iframe is benefiting from the grant that its sibling obtained, not the one that it obtained on its own.To me, it would seem more consistent to say that a given embedded context can only get access to its own cookies. I.e., that the C iframe can only send credentialed requests to C, regardless of what other permission grants have been created under the same top-level site.
Let me know what you all think. I think making this change would be positive from a security standpoint, but I'm not sure if there are legitimate use cases that would be broken by this restriction.
The text was updated successfully, but these errors were encountered: