-
Notifications
You must be signed in to change notification settings - Fork 367
Add the "speculationrules" destination #1841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
domenic
wants to merge
1
commit into
main
Choose a base branch
from
speculationrules
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure this is accurate? Wouldn't this be governed by connect-src at least?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, per discussion with CSP folks, header-initiated fetches are not generally governed by CSP at all. The reasoning is that CSP is a mechanism for protection against HTML injection defense, not header-injection defense; if an attacker can inject headers, then they can mess up your CSP and do all sorts of bad things.
I guess
Linkmight be governed by CSP, but that's more of a historical accident...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I agree with that.
I think it also depends on the order the headers are processed in. If the CSP header is processed first (and I hope that it is), any fetch following it would automatically be subject to CSP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, not sure, probably something to discuss with the CSP spec editors if you want to make changes to that policy...
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@antosart mind chiming in?
I think in the HTML standard we create a policy container from navigation response first thing and I wouldn't expect us to fetch anything else before that is complete. (This happens deep into https://html.spec.whatwg.org/#create-navigation-params-by-fetching if I'm reading things correctly.)
Are you also suggesting for instance that we would not take Referrer Policy into account here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, fetches do indeed happen after the policy container is created from the navigation response. However, the current proposal is to have Speculation-Rules headers explicitly bypass CSP by allowlisting the "speculationrules" destination in CSP (w3c/webappsec-csp#776). Digging a bit, that seem to be the result of experiments and discussion (see https://chromestatus.com/feature/5123809745829888?gate=5093909324365824).
I expect the reason for this to be rooted in the attempt of CSP to do (at least) two things at the same time, i.e. control script execution and gate outgoing requests (which in the case of
script-srcend up colliding even if they are conceptually distinct - fetching a script content is not the same as executing it). Gating the Speculation-Rules header behind script-src would make it impossible to use the feature with strict CSP. Gating it behind something else (e.g. connect-src) could be somehow confusing given that the other way to specify speculationrules is in a script tag (for which script-src does apply). It's not totally clear to me what the best option is here, but I think it would make sense to have some record/explanation of why the choice was made.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that the usage of
<script>necessarily impliesscript-src.script-srcmakes sense when the result is script execution, but if we were to use<script>for JSON modules or some such it shouldn't usescript-srcbut the same thing that the "json" destination devolves into. I think the same kind of rationale applies here, which I suspect meansconnect-srcin the end.I know some at Google don't care about the exfiltration angle of CSP, but I don't think we have ever reached agreement on giving up on it, so until we get there I think new fetch contexts should play by the same rules as existing ones.