|
| 1 | +# RFC #72: Address space overrides |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +The goal of this RFC is to enable web platform tests to cover the |
| 6 | +[CORS-RFC1918](https://wicg.github.io/cors-rfc1918) specification entirely. |
| 7 | +More specifically, to enable tests to exercise user agent behavior in the face |
| 8 | +of responses served from `local`, `private` and `public` |
| 9 | +[address spaces](https://wicg.github.io/cors-rfc1918#address-space). |
| 10 | + |
| 11 | +This is achieved by passing command-line flags to the browser under test forcing |
| 12 | +it to artificially consider specific IP addresses `local`, `private` or |
| 13 | +`public`. |
| 14 | + |
| 15 | +This RFC aims to fix |
| 16 | +[web-platform-tests/wpt#26166](https://github.com/web-platform-tests/wpt/issues/26166). |
| 17 | + |
| 18 | +## Details |
| 19 | + |
| 20 | +### Address allocation |
| 21 | + |
| 22 | +For the purposes of testing, declare that the following subnets are not `local` |
| 23 | +but instead: |
| 24 | + |
| 25 | +* 127.1.0.0/16: `private` |
| 26 | +* 127.2.0.0/16: `public` |
| 27 | + |
| 28 | +### Browser changes |
| 29 | + |
| 30 | +A new configuration surface is added to each browser (it need not be uniform, |
| 31 | +though that would certainly help with implementation) that allows overriding the |
| 32 | +address space derived from specific IP addresses. For example, this could be a |
| 33 | +command-line flag: |
| 34 | + |
| 35 | +```sh |
| 36 | +--test-override-address-space=127.1.0.0/16:private,127.2.0.0/16:public |
| 37 | +``` |
| 38 | + |
| 39 | +Test-only code wires this command-line flag to the code in the browser under |
| 40 | +test that determines the address space of a network endpoint. |
| 41 | + |
| 42 | +### Test runner changes |
| 43 | + |
| 44 | +The web platform test runner sets command-line flags on browsers such that the |
| 45 | +browsers implement the custom address space mapping described above during |
| 46 | +tests. |
| 47 | + |
| 48 | +Corresponding entries are added to the hosts file, as generated by |
| 49 | +[make_hosts_file()](https://github.com/web-platform-tests/wpt/blob/master/tools/serve/serve.py#L513-L530): |
| 50 | + |
| 51 | +``` |
| 52 | +127.1.0.1 private.web-platform.test |
| 53 | +127.2.0.1 public.web-platform.test |
| 54 | +``` |
| 55 | + |
| 56 | +This allows web platform tests to exercise browser behavior in the face of |
| 57 | +`private` and `public` IP addresses, simply by targeting the above domains. |
| 58 | + |
| 59 | +## Risks |
| 60 | + |
| 61 | +If the tests run on an IPv6-only system, the system might not know how to route |
| 62 | +requests to the IPv4 loopback address range? This seems like an extremely remote |
| 63 | +possibility, in which case many other assumptions made by the test framework |
| 64 | +might have to be revisited anyway. |
| 65 | + |
| 66 | +## Alternatives considered |
| 67 | + |
| 68 | +### Override addresses themselves |
| 69 | + |
| 70 | +This approach was suggested by @ddragana. |
| 71 | + |
| 72 | +A similar configuration mechanism is exposed by browsers by which the test |
| 73 | +runner can override some IP addresses, such that the browser under test will |
| 74 | +consider that sockets connected to IP A are in fact connected to a fake IP B. |
| 75 | + |
| 76 | +For example, as a command-line flag: |
| 77 | + |
| 78 | +``` |
| 79 | +--test-ip-address-override=127.1.0.1:8.8.8.8,127.2.0.1:192.168.1.1 |
| 80 | +``` |
| 81 | + |
| 82 | +Would force the browser to consider sockets connected to `127.1.0.1` as instead |
| 83 | +being connected to `8.8.8.8` and likewise for `127.2.0.1` to `192.168.1.1`. |
| 84 | + |
| 85 | +This approach allows overriding the address space without introducing the notion |
| 86 | +of address spaces to the configuration surface. @ddragana argues that it is less |
| 87 | +failure-prone than the above proposal due to it being simpler to implement. |
| 88 | + |
| 89 | +In Chromium, however, this approach likely would require plumbing the fake IP |
| 90 | +address lower into the network stack than we would have to plumb a fake address |
| 91 | +space. Thus it seems that instead this would be harder to implement correctly. |
| 92 | + |
| 93 | +### Use individual IP addresses |
| 94 | + |
| 95 | +Same as above, but allow overriding address spaces per IP address instead of |
| 96 | +per subnet. |
| 97 | + |
| 98 | +The marginal difficulty of overriding per subnet seems low, and provides plenty |
| 99 | +of test IP addresses to exercise intra-address-space, cross-ip-address requests, |
| 100 | +which might come in handy [in the |
| 101 | +future](https://github.com/WICG/cors-rfc1918/pull/1#issuecomment-721110250). |
| 102 | + |
| 103 | +### Use real IP addresses |
| 104 | + |
| 105 | +If we need to test user agent behavior in the face of a variety of IP addresses, |
| 106 | +then... just do it! |
| 107 | + |
| 108 | +This approach would have the web platform test runner configure additional |
| 109 | +loopback network devices and assign them `private` and `public` IP addresses. |
| 110 | +Alternatively, the test runner could probably reroute traffic heading for these |
| 111 | +IP addresses to `127.0.0.1` through some iptables magic. Then we could configure |
| 112 | +the hosts file to resolve specific domains to those IP addresses, and test the |
| 113 | +whole shebang end to end. |
| 114 | + |
| 115 | +This approach's main pro is that it truly is an end to end test of the feature, |
| 116 | +exercising production code to its full extent. By virtue of requiring no |
| 117 | +test-only hooks, it also requires no work on the part of browser developers. |
| 118 | + |
| 119 | +Its main con is that it requires the test runner to have system privileges. One |
| 120 | +could design around that by restricting system privileges to the test setup |
| 121 | +phase. That refactoring however would require a fair amount of work to ensure no |
| 122 | +setup step is broken because of the IP address hijacking. |
| 123 | + |
| 124 | +Additionally, it requires work to support for each test execution environment. |
| 125 | + |
| 126 | +Finally, it arguably requires the purchase of a public IP address for our use. |
| 127 | +If not, then we open ourselves up to esoteric failures due to the hijacking of a |
| 128 | +legitimate IP address for test purposes, likely in a long enough time for |
| 129 | +everyone to have forgotten the existence of this hack. |
| 130 | + |
| 131 | +### Extend WebDriver |
| 132 | + |
| 133 | +This alternative was initially recommended by @stephenmcgruer in |
| 134 | +[web-platform-tests/wpt#26166](https://github.com/web-platform-tests/wpt/issues/26166). |
| 135 | + |
| 136 | +The gist of this alternative is this: extend WebDriver to allow overriding |
| 137 | +the address space derived from specific IP addresses or domains. |
| 138 | + |
| 139 | +Its main pro is that such an approach would be standardized at a higher level |
| 140 | +than web platform tests alone. |
| 141 | + |
| 142 | +I reached out to some WebDriver experts to explore this avenue first. I was |
| 143 | +informed that WebDriver's audience is web developers seeking to test their |
| 144 | +creations rather than browser developers. As such, they recommended a simpler |
| 145 | +approach with command-line flags instead. |
0 commit comments