Re: Issue #356: Form-encode Expect-CT report bodies?
Emily Stark <estark@google.com> Fri, 09 June 2017 15:14 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB49129B51 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 08:14:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.501
X-Spam-Level:
X-Spam-Status: No, score=-6.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HeZvCE_v2cdn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 08:14:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8E3129AE8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 9 Jun 2017 08:14:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dJLZi-0003j3-DF for ietf-http-wg-dist@listhub.w3.org; Fri, 09 Jun 2017 15:11:46 +0000
Resent-Date: Fri, 09 Jun 2017 15:11:46 +0000
Resent-Message-Id: <E1dJLZi-0003j3-DF@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJLZa-0003hq-5Q for ietf-http-wg@listhub.w3.org; Fri, 09 Jun 2017 15:11:38 +0000
Received: from mail-oi0-f43.google.com ([209.85.218.43]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJLZS-0002C7-Sd for ietf-http-wg@w3.org; Fri, 09 Jun 2017 15:11:32 +0000
Received: by mail-oi0-f43.google.com with SMTP id p7so31899973oif.2 for <ietf-http-wg@w3.org>; Fri, 09 Jun 2017 08:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Fr2LIOCkarfF4Fvl2efJ/1DIHTuvouwKyvRAv983Z0Q=; b=WvYH6tppZgE4AQtP2+f+pc/cybtCt+0XE/zEmTruPawSbQNhj/GWrPg54iUazVyRCK GVODY1PGjJyyvSSDuvv+czRcpAvHci4urCCCQD0hzmcwACqAzuHXRnLZY/A+vUlwh/8m lE9SMxJnPFOQtILbGA+AOAw3ZUhXkjxu9n7ix95mW/cPkA9NQg3ILX62Qh3oua84ck1Y 6lwlJ929ejFCzO86rXOosUGRXAeWAeGu/oQ2krJgWwQRhX1vc8CIv3vmf5ptaYn/Wqhp N8ixy3bqOZqzHyqlen83Etm2c1JdIjU7YbIe//zUxkLbiTbGZU93BpXijQkPaSyUJI0M karw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Fr2LIOCkarfF4Fvl2efJ/1DIHTuvouwKyvRAv983Z0Q=; b=EbmBIekvXutcvkBJJ9gOjGKSsXM7OIe3Mx+1ZBARsfOhWjn3dkDIGOV5VkRi59REQJ yjMgVviE6dbv+HrlQs4SP6IHroPeSWpM14KnPfvVnbIgrJE90Pjv62IvN1T6jqjlioH0 IwQH7Y6tdfXgfHTM56k8esAcwpkr6/Pn1YktRZEkDV1MXHvobqzQaz39ggJsGYgrIilh kb5XPGM3wpUEbNYJns46hGJQFuFgJOVQ56O/ikFB1ks+zm9m4m4wgQbvyTY6AZAyUAuv c0lxTrdDJQ2tsmNgJwXGCnYEeBTXzNfEZ/HyjWBJ3Yas6XlV+K2gRuQMfbI7bV949MU7 okhw==
X-Gm-Message-State: AODbwcCEaL4kW2be4c6ijl0sro33tHmUPwAyAhIakBAmrZq0umtemyPj 5x8xUNCGfi1FnhpVj1IhBfwPNHY52XFf0wM=
X-Received: by 10.202.91.134 with SMTP id p128mr6514514oib.208.1497021064254; Fri, 09 Jun 2017 08:11:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.66.86 with HTTP; Fri, 9 Jun 2017 08:10:43 -0700 (PDT)
In-Reply-To: <CABkgnnU-c4FbBNGz4V-jpO-Rwc5Evy7DFzmBdsT0xkZFv+Drxg@mail.gmail.com>
References: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com> <CAOdDvNoStrOu=SSZJrKMsQFjG2YVtiLqMdvXP_1PKJ_a+58Mfw@mail.gmail.com> <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com> <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com> <CAPP_2SYNkReoDOjRKdEWtrP=ZGhPO2mKCoQm9Pm7LjcNLyoC+Q@mail.gmail.com> <CAPP_2SYLpKBo-rWV4oMG7V3FeN4aZ7fZEOdFgwFC8ASmFKmvqA@mail.gmail.com> <CABkgnnWU09-kV8gAu6xZV7n-rvrmL6R98EzA7O7nxTjBMFntpQ@mail.gmail.com> <CAPP_2Sa7b3XTgFE0VcF7-ffxYMOuhR8vHTROL88RDus4foP8CA@mail.gmail.com> <CABkgnnU-c4FbBNGz4V-jpO-Rwc5Evy7DFzmBdsT0xkZFv+Drxg@mail.gmail.com>
From: Emily Stark <estark@google.com>
Date: Fri, 09 Jun 2017 08:10:43 -0700
Message-ID: <CAPP_2SY8h-ymtTubY0GMLqWctP4MXXu9nSiUU228gJ5drzZZQg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, httpbis <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Content-Type: multipart/alternative; boundary="001a113d6330c1e5df055188606e"
Received-SPF: pass client-ip=209.85.218.43; envelope-from=estark@google.com; helo=mail-oi0-f43.google.com
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=1.607, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1dJLZS-0002C7-Sd 136a325b493531aedac4403d5fd46a0b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAPP_2SY8h-ymtTubY0GMLqWctP4MXXu9nSiUU228gJ5drzZZQg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33974
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, Jun 9, 2017 at 8:01 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 9 June 2017 at 16:53, Emily Stark <estark@google.com> wrote: > > CSP reporting isn't added to the CORS whitelist. It's been in violation > of > > CORS for years and there are some vague plans to fix it by sending > > preflights, but adding it to the whitelist hasn't really been discussed. > > Anne has said that he prefers not to add more to the whitelist, which I > > think is a reasonable stance. (see > > https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0009.html > -- > > though to be fair, the same text/plain idea is rejected in that thread as > > well) > > > > In addition to the fact that there's not really any principled reason for > > expanding the whitelist, it would mean that, say, an XHR can send the new > > header value, which shouldn't really be allowed. > > Ahh, I remembered that discussion, but failed to get that critical > detail. My point is that if you want to avoid a preflight, then make > sure that you have an analysis to back it up, don't just dodge the > issue by using a whitelisted MIME type. > > If that means using a preflight, then great. If we go back to first > principles, the "POST to intranet site" case would seem to suggest > that some preflighting is warranted. > > Ultimately, I want the same answer for this and for CSP reports. I > would rather not add this to the pile of violating mechanisms though. > These are quite different scenarios though. With CSP, sending preflights is totally doable and makes sense, except for the fact of the widely deployed reporting servers that would break if we suddenly started requiring them to respond to preflights. Expect-CT and HPKP are done as part of certificate verification and it's not clear that they should be governed by CORS any more than OCSP requests or any request made by the OS in the course of loading a webpage. I agree with your "first principles" argument that if they are cross-origin requests triggered in the course of loading a web page, then they can be used by malicious web content and should be subject to CORS... but at the same time I'm not sure that it's practical to require that any request at any layer of the system triggered during the course of loading a web page should go through Fetch and send preflights if needed.
- Issue #356: Form-encode Expect-CT report bodies? Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Martin Thomson
- Re: Issue #356: Form-encode Expect-CT report bodi… Patrick McManus
- Re: Issue #356: Form-encode Expect-CT report bodi… Emily Stark
- Re: Issue #356: Form-encode Expect-CT report bodi… Anne van Kesteren