Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Iframe credentialless (was: Anonymous iframe) #45

Open
ArthurSonzogni opened this issue Aug 5, 2022 · 7 comments
Open

Iframe credentialless (was: Anonymous iframe) #45

ArthurSonzogni opened this issue Aug 5, 2022 · 7 comments
Assignees
Labels
concerns: security This proposal may cause security risk if implemented from: Google Proposed, edited, or co-edited by Google. topic: frames Proposa relates to frames or iframes topic: loading topic: privacy topic: security topic: storage Spec relates to storage mechanisms such as cookies, IndexedDB, or LocalStorage venue: WICG Proposal is incubated in the Web Incubator Community Group

Comments

@ArthurSonzogni
Copy link

ArthurSonzogni commented Aug 5, 2022

Request for position on an emerging web specification

This was previously filled as: https://lists.webkit.org/pipermail/webkit-dev/2022-April/032205.html
but didn't get any replies. Since WebKit is now using this new Github Medium, I am asking again. We would appreciate your feedback. In particular, there is a recent discussion with Mozilla who suggested activating it via a sandbox flag instead.

Information about the spec

Design reviews and vendor positions

Bugs tracking this feature

  • WebKit Bugzilla:
  • Radar:

Anything else we need to know

Anonymous iframes give developers a way to load documents in third party iframes using new and ephemeral contexts.

Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation.

This way, developers using COEP can now embed third party iframes that do not.

@othermaciej othermaciej added topic: loading topic: privacy topic: security topic: storage Spec relates to storage mechanisms such as cookies, IndexedDB, or LocalStorage topic: frames Proposa relates to frames or iframes venue: WICG Proposal is incubated in the Web Incubator Community Group from: Google Proposed, edited, or co-edited by Google. labels Sep 25, 2022
@hober hober moved this from Unscreened to Needs position in Standards Positions Review Backlog Mar 23, 2023
@hober hober moved this from Needs position to Needs assignees in Standards Positions Review Backlog Mar 27, 2023
@hober hober moved this from Needs assignees to Needs position in Standards Positions Review Backlog Mar 27, 2023
@annevk annevk changed the title Anonymous iframe Iframe credentialless (was: Anonymous iframe) Jun 19, 2023
@annevk
Copy link
Contributor

annevk commented Jun 19, 2023

I think WebKit's storage policies are already pretty close to the desires of this feature:

I guess that Chromium doesn't mean for cross-site storage to become ephemeral?

@ArthurSonzogni
Copy link
Author

Thanks @annevk !

I think WebKit's storage policies are already pretty close to the desires of this feature:

Yes, it has some similar properties indeed, which are nice!

However, at the end, the goal of iframe credentialless is to allow embedding safely non-COEP document inside a COEP one. In particular it must be safe with regards to Spectre attacks, because the parent can be crossOriginIsolated. That's the only "real" feature of iframe credentialess. Everything else are only means to this end.

From the current Safari state, if we wanted to supersede iframe credentialless and allow the embedding without it, I think we would have to:

  • Find a way to protect against attacks using a vulnerable cross-origin website. Every property you listed is Cross-Site, but Cross-Origin is needed instead. For instance, we don't want a vulnerability from blog.example.com to be used to leak data from accounts.example.com. The amount of security efforts developers are using is usually proportional to the value of the things they protect.
  • Prevent autofill and similar non-web features from leaking data into the process.
  • Prevent popups from leaking data into the process. This should be fine already assuming a crossOriginIsolated top-level ancestor requires COOP:same-origin.

I guess that Chromium doesn't mean for cross-site storage to become ephemeral?

I don't know myself if there are plans for this, beyond the current plan to bring in partitioning.

@annevk annevk added the concerns: security This proposal may cause security risk if implemented label Mar 7, 2024
@annevk
Copy link
Contributor

annevk commented Mar 7, 2024

It has come to my attention that <iframe credentialless> is sometimes used for payment flows, despite autofill not being supported. Have you heard about this? That makes me very hesitant about this feature as it puts end users at risk, essentially training them to be phished.

@ArthurSonzogni
Copy link
Author

+CC @camillelamy & @mikewest, as I haven't worked on <iframe credentialless> for years.
Payment data is not specific to the iframed's document, so there is no need to disable autofill here. Only username/password are needed. I guess clarifying this section would help, even if this is about vendor specific recommandations?

In Chrome's implementation, I remember it was explicitely decided not to. [internal design doc about autofill].

extract

Question: What components of autofill need to be disabled?

There are several components in autofill: payment, username/password and addresses. From the design of anonymous iframe, the only component we want to disable is username and password autofill.
We are interested in data both specific to the user and specific to the victim website. If the data isn’t specific to the website, then the attacker can get the same information from its own page anyway.

@annevk
Copy link
Contributor

annevk commented Mar 7, 2024

I think that very much depends. If you checkout through PayPal you might well have to login. But it also strikes me as very risky that some autofill functionality works and some doesn't. I don't think web developers will be able to make the right tradeoffs here as it creates a very subtle model. And web developers will just want to enable COOP+COEP and choose the most expedient route to get there.

(Also, autofill of other data might well be domain-bound in some way.)

@adamziel
Copy link

Lack of credentialless support is an issue for WebKit users browsing specific WordPress sites. You can't do these two at the same time:

  • Use iframes to embed content from other sites
  • Use SharedArrayBuffer

These two require conflicting CORP headers, but can work together with <iframe credentialless>. See swissspidy/media-experiments#294 for more details.

@annevk
Copy link
Contributor

annevk commented Apr 25, 2024

Thank you, rest assured that we know how the feature works and what it enables. The problem I tried to outline above is that we don't think we can support this in a way that safeguards end users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
concerns: security This proposal may cause security risk if implemented from: Google Proposed, edited, or co-edited by Google. topic: frames Proposa relates to frames or iframes topic: loading topic: privacy topic: security topic: storage Spec relates to storage mechanisms such as cookies, IndexedDB, or LocalStorage venue: WICG Proposal is incubated in the Web Incubator Community Group
Projects
Development

No branches or pull requests

5 participants