Suggestion: condition this on a web permission + CSP + CORS + explicit permissions request to provide a strong layer of security #45
Description
I was reading through #1 and w3ctag/design-reviews#548, and I feel that the security concerns could be mostly addressed by doing the following in concert:
- Require the connection to be established from a secure browsing context.
- This reduces the likelihood of arbitrary script injection.
- Add a CSP directive to limit what scripts can connect to, and disallow all without this header present.
- This allows site operators to prevent XSS holes from being exploited to target arbitrary servers with random connections.
- Add a permission to limit what browsing contexts can create such connections, and disallow all without the permission explicitly declared (at least for cross-origin contexts).
- This allows site operators to prevent loaded iframes and the like from targeting arbitrary servers with random connections.
- Require explicit user permission (similar to geolocation) to allow opening the sockets allowed per the CSP directive and permissions policy.
- The permissions would be able to provide the list of what could open the connection and the CSP directive would be able to provide the list of where it could connect, and these two lists could be provided to the user so they could make a more informed decision on the matter, without necessarily having to know all sorts of low-level networking internals. (If anything, it'd scare non-technical users a little, especially if the domains don't look like they're from the site in question.)
- For
*and*:port, the prompt could ask if the user would like to give the site permission to search their network and connect to local devices on their network (using port whatever if such a port is given) instead, possibly with an additional snippet noting the obvious privacy ramifications. This would appear to the user to be a lot more dangerous than simply "can this website connect to anything on the internet", and so it'd be a little harder to simply socially engineer around. - The permissions prompt here would resolve my concerns in Bypassing CORS would be very useful #19 (comment) as it wouldn't be fully automated. (With an explicit permissions prompt, you'd have to have control over the machine to automate it, and by that point, it'd be easier and more cost-effective to just do it directly in C or whatever.)
I won't say it would address the social engineering concerns from the design review in full (virtually anything can be socially engineered around at least in theory - just ask your average scam boss or physical pentester), but I do feel this would at least be a step in the right direction.