IETF Logo Mail Archive

Re: Issue #356: Form-encode Expect-CT report bodies?

Emily Stark <estark@google.com> Fri, 09 June 2017 15:46 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328F1128768 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 08:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.5
X-Spam-Level:
X-Spam-Status: No, score=-6.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSGlGVgMZir9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jun 2017 08:46:25 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A3C01243F3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 9 Jun 2017 08:46:25 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dJM4R-0007nK-E2 for ietf-http-wg-dist@listhub.w3.org; Fri, 09 Jun 2017 15:43:31 +0000
Resent-Date: Fri, 09 Jun 2017 15:43:31 +0000
Resent-Message-Id: <E1dJM4R-0007nK-E2@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJM4J-0007lx-OJ for ietf-http-wg@listhub.w3.org; Fri, 09 Jun 2017 15:43:23 +0000
Received: from mail-ot0-f178.google.com ([74.125.82.178]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <estark@google.com>) id 1dJM4B-00013H-Dy for ietf-http-wg@w3.org; Fri, 09 Jun 2017 15:43:18 +0000
Received: by mail-ot0-f178.google.com with SMTP id i31so40737674ota.3 for <ietf-http-wg@w3.org>; Fri, 09 Jun 2017 08:42:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WsKaKeKWO5JilCdutU2b3KmssGwva/z+9fbKNmmDD3c=; b=iRw+aYXPOGvr/N+tBlRA42drVBbM84QgGgYwEkUi8KX7ni2BrPzuijU05QbW7HMQN6 1uGO0yZ2wQGaAZZWtLWqQ2bK3DK9KrlVLvfbOFXRFxag4TEySETeHis5IN2DyTWy+BjA PMBDFHfFpmLPGUPEvzeLpV+O9x+erC9dEJFke6l1ZCfmYHo5tJAYJSAnxtA6np+TegVg RGUWflmvIJ5WJCKujfTNjLtzT/HEYk870sUId7WpJ3QK26pOpTU0zxeKNDDJjEUNoLV+ PCuhCpveGtcsuaRzCm1snYDoLFIeRNYt+jnIkiv47UraBt31sxCt3qPK4ZR++wyA1JR4 65/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WsKaKeKWO5JilCdutU2b3KmssGwva/z+9fbKNmmDD3c=; b=qHBUoeGh1oj0TyzTyoKvd0ar4Y41Oy22LzlpLZDXMnGOLbwpFjPXgyTqUUkSBdnl+d X6ezN5dST0goIJC31MnqfQKfZ2h63v5B1qdsv43Ou63CiE6b0m4uEd5iDV5CqPXuC2Oc T7HcYesux3DZ6hRa/ebRosUerVsCrnqvYCO6uwRYygoCyC5rD+2AXJ0N5d1RDDaCHCca ezkardQdqWzTAIWaSqbEU5ZUTTy6vnquCJ2Hxw0p6c7QQuBfPm0wAQkAxg132WnXcgtp oFGsOLbJXNHd0nCeup13Xa1AB4Vpd3mssFZWPsIvaP+Uq9l/AFEX3JcXlHQ46DTvqwRg hKLQ==
X-Gm-Message-State: AODbwcBZaeGsYB0ZeYDESvLYODh+GS5lOnFzuAoSSpM+TSwstX4gPQMj KouIRWNwypAjEnY1Z1/tMpoj3isQYhXs
X-Received: by 10.157.45.56 with SMTP id v53mr20533659ota.68.1497022968404; Fri, 09 Jun 2017 08:42:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.66.86 with HTTP; Fri, 9 Jun 2017 08:42:27 -0700 (PDT)
In-Reply-To: <CABkgnnXEUdZ9M=911wGcNVqL+=qpwfvnE+3rNu1g3ApepyCKFA@mail.gmail.com>
References: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com> <CAOdDvNoStrOu=SSZJrKMsQFjG2YVtiLqMdvXP_1PKJ_a+58Mfw@mail.gmail.com> <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com> <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com> <CAPP_2SYNkReoDOjRKdEWtrP=ZGhPO2mKCoQm9Pm7LjcNLyoC+Q@mail.gmail.com> <CAPP_2SYLpKBo-rWV4oMG7V3FeN4aZ7fZEOdFgwFC8ASmFKmvqA@mail.gmail.com> <CABkgnnWU09-kV8gAu6xZV7n-rvrmL6R98EzA7O7nxTjBMFntpQ@mail.gmail.com> <CAPP_2Sa7b3XTgFE0VcF7-ffxYMOuhR8vHTROL88RDus4foP8CA@mail.gmail.com> <CABkgnnU-c4FbBNGz4V-jpO-Rwc5Evy7DFzmBdsT0xkZFv+Drxg@mail.gmail.com> <CAPP_2SY8h-ymtTubY0GMLqWctP4MXXu9nSiUU228gJ5drzZZQg@mail.gmail.com> <CABkgnnXEUdZ9M=911wGcNVqL+=qpwfvnE+3rNu1g3ApepyCKFA@mail.gmail.com>
From: Emily Stark <estark@google.com>
Date: Fri, 09 Jun 2017 08:42:27 -0700
Message-ID: <CAPP_2SYJGXqLOh_E56Aou5RgO2mLNzUYWVZHmwu9_vN2MsV9XA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, httpbis <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Content-Type: multipart/alternative; boundary="001a113d07e840ff8e055188d2fc"
Received-SPF: pass client-ip=74.125.82.178; envelope-from=estark@google.com; helo=mail-ot0-f178.google.com
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: AWL=1.174, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1dJM4B-00013H-Dy 1cbca9e3ba07529c023a91c5b870ce19
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAPP_2SYJGXqLOh_E56Aou5RgO2mLNzUYWVZHmwu9_vN2MsV9XA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33976
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The URL can be attacker-controlled in the OCSP case too. (
https://github.com/bifurcation/expect-ct/issues/18#issuecomment-295867109)

As I said in my first message, implementing true preflights would violate
very core architectural principles in Chrome, and would jeopardize our
ability to ship an implementation. Maybe there are other implementors who
would like to chime in to the contrary, but as of now I'm not very inclined
to specify something that can't realistically be implemented.

So that leaves the null-origin preflight that Patrick suggested as the only
option on the table. Do you prefer that, Martin?

On Fri, Jun 9, 2017 at 8:22 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> The "first principles" notion also refers to the fact that the URL is
> attacker-controlled.  Being hard to do isn't a great reason not to
> preflight, though it is something to consider.
>
> On 9 June 2017 at 16:10, Emily Stark <estark@google.com> wrote:
> >
> >
> > On Fri, Jun 9, 2017 at 8:01 AM, Martin Thomson <martin.thomson@gmail.com
> >
> > wrote:
> >>
> >> On 9 June 2017 at 16:53, Emily Stark <estark@google.com> wrote:
> >> > CSP reporting isn't added to the CORS whitelist. It's been in
> violation
> >> > of
> >> > CORS for years and there are some vague plans to fix it by sending
> >> > preflights, but adding it to the whitelist hasn't really been
> discussed.
> >> > Anne has said that he prefers not to add more to the whitelist, which
> I
> >> > think is a reasonable stance. (see
> >> > https://lists.w3.org/Archives/Public/public-webappsec/
> 2017Feb/0009.html
> >> > --
> >> > though to be fair, the same text/plain idea is rejected in that thread
> >> > as
> >> > well)
> >> >
> >> > In addition to the fact that there's not really any principled reason
> >> > for
> >> > expanding the whitelist, it would mean that, say, an XHR can send the
> >> > new
> >> > header value, which shouldn't really be allowed.
> >>
> >> Ahh, I remembered that discussion, but failed to get that critical
> >> detail.  My point is that if you want to avoid a preflight, then make
> >> sure that you have an analysis to back it up, don't just dodge the
> >> issue by using a whitelisted MIME type.
> >>
> >> If that means using a preflight, then great.  If we go back to first
> >> principles, the "POST to intranet site" case would seem to suggest
> >> that some preflighting is warranted.
> >>
> >> Ultimately, I want the same answer for this and for CSP reports.  I
> >> would rather not add this to the pile of violating mechanisms though.
> >
> >
> > These are quite different scenarios though. With CSP, sending preflights
> is
> > totally doable and makes sense, except for the fact of the widely
> deployed
> > reporting servers that would break if we suddenly started requiring them
> to
> > respond to preflights. Expect-CT and HPKP are done as part of certificate
> > verification and it's not clear that they should be governed by CORS any
> > more than OCSP requests or any request made by the OS in the course of
> > loading a webpage. I agree with your "first principles" argument that if
> > they are cross-origin requests triggered in the course of loading a web
> > page, then they can be used by malicious web content and should be
> subject
> > to CORS... but at the same time I'm not sure that it's practical to
> require
> > that any request at any layer of the system triggered during the course
> of
> > loading a web page should go through Fetch and send preflights if needed.
> >
> >
>

v2.23.0 | Report a Bug | By Email