IETF Logo Mail Archive

Re: Issue #356: Form-encode Expect-CT report bodies?

Patrick McManus <mcmanus@ducksong.com> Wed, 07 June 2017 15:40 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCFC129485 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Jun 2017 08:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.4
X-Spam-Level:
X-Spam-Status: No, score=-6.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sendgrid.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezG4xt-KIjkI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Jun 2017 08:40:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 825251270A3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 7 Jun 2017 08:40:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.84_2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1dId1G-0007Xa-Kp for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Jun 2017 15:37:14 +0000
Resent-Date: Wed, 07 Jun 2017 15:37:14 +0000
Resent-Message-Id: <E1dId1G-0007Xa-Kp@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1dId15-0006XO-N7 for ietf-http-wg@listhub.w3.org; Wed, 07 Jun 2017 15:37:03 +0000
Received: from o1682455182.outbound-mail.sendgrid.net ([168.245.5.182]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1dId0v-0001Oc-HR for ietf-http-wg@w3.org; Wed, 07 Jun 2017 15:36:58 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me; h=mime-version:in-reply-to:references:from:subject:to:cc:content-type; s=smtpapi; bh=s4qDyspK7eSKKzlKjB1UqfVH/k8=; b=rdQ9g5n7Hb1ChMUKLj YQzsWj5NjaWIDvf2GSgrVI9CVV7PMOKfUEpk2PcblxJccIqGBG+BXpsufiSrXIgC DaoGp6YzlplCjdTqabrzj3Gm57fNI9+jGJx3WKuAOojruUks/9yG2XC96dAHm25G vvNBB3oJjPCL+f1HC8JW750Gg=
Received: by filter0632p1mdw1.sendgrid.net with SMTP id filter0632p1mdw1-19612-59381D70-21 2017-06-07 15:36:16.547226339 +0000 UTC
Received: from mail-qt0-f175.google.com (mail-qt0-f175.google.com [209.85.216.175]) by ismtpd0005p1iad1.sendgrid.net (SG) with ESMTP id tdoPVUgFTV-cJFcyaERfFQ for <ietf-http-wg@w3.org>; Wed, 07 Jun 2017 15:36:15.979 +0000 (UTC)
Received: by mail-qt0-f175.google.com with SMTP id u19so10087790qta.3 for <ietf-http-wg@w3.org>; Wed, 07 Jun 2017 08:36:15 -0700 (PDT)
X-Gm-Message-State: AODbwcA11iaaTqj0/j+LHIzR6WsVIwKD5NX3nEXNOHq0EnUsFPgozple k08/x4YzK/5ybnEOUWgIbglxFkVhSA==
X-Received: by 10.237.61.145 with SMTP id i17mr693658qtf.239.1496849775639; Wed, 07 Jun 2017 08:36:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.178.74 with HTTP; Wed, 7 Jun 2017 08:36:15 -0700 (PDT)
In-Reply-To: <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com>
References: <CAPP_2Sa+6eSAChgp8KrzabPJUkMmiKBhWp1dFhS0zOVnXrenLw@mail.gmail.com> <CAOdDvNoStrOu=SSZJrKMsQFjG2YVtiLqMdvXP_1PKJ_a+58Mfw@mail.gmail.com> <CABkgnnUVYB1Dqh4efe25bKx=-2iOBXHZg=3fgXjvbRn28b6nuw@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Wed, 07 Jun 2017 17:36:15 +0200
X-Gmail-Original-Message-ID: <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com>
Message-ID: <CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Emily Stark <estark@google.com>, httpbis <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a1141b39a28c3500551607f81"
X-SG-EID: YLWet4rakcOTMHWvPPwWbcsiUJbN1FCn0PHYd/Uujh4vD7koLxDDZl23peVG/q+47YCCi3bW/ieMAN BBueLWsq/VL8v84+cRSWVZuf1n9Sj5t6USWn+QAN6WE/HPUfS7klz4buB5sjFTMzdHQSuBlmnXOP4Y 6T4nkorIj/81Uiuz6Rqkcob8htVzAeYZXtJN8VBTENfWuNfH9Os1/yeat/YT8a2eLxbcnl6Mca9ujs 8=
Received-SPF: pass client-ip=168.245.5.182; envelope-from=bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net; helo=o1682455182.outbound-mail.sendgrid.net
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.055, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1dId0v-0001Oc-HR 68d324024ede15d18b562aaf11a95154
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Issue #356: Form-encode Expect-CT report bodies?
Archived-At: <http://www.w3.org/mid/CAOdDvNqquZymrmE3i3DFfdgVUuq-iWxr0+jvO3AF0NymnJK9Zg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33968
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Jun 7, 2017 at 3:39 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Can we go to first principles?
>
>
I can learn, forget, and relearn cors more times in a day than I care to
count :)

fwiw, it seems an inconsistent state of affairs here..

csp report-uri is similar.. afaict the current spec applies fetch (and
therefore cors) rules to it after mandating no credentials.. but also
afaict that's not the reality of implementations. The OCSP example has a
lot of similarities too, though the uri is less controllable (but after a
few layers from the PKI root who really knows..). when talking through the
basic cors principles (credential leakage, read-side leaks, write-side
triggers) I didn't really see a problem with a non content UA request doing
this based on a policy decision to implement a spec but I can certainly see
how every UA might come to a different conclusion. Indeed I went back and
forth a few times. So Emily, I certainly see where your use of
"jeopardizes" comes from with option a. This IETF forum is only likely to
muddy the waters further, I'm afraid as we aren't the keepers of cors.

which kind of brings us to the more httpbis parts of your issue - the self
described option b. Those are indeed gross. Perhaps more a little less
offensive, but still non ideal, workarounds would be:
 * an empty string origin request header and an
access-control-allow-origin: * response
 * content-type: text/plain (its not right, but seems strictly better than
a form)

hth. (I'm prepared to be told those are bogus too.)

-P







> The URL is controlled by a site.  Though it doesn't include ambient
> authority (I hope), it can still be used to poke at things on the same
> side of the firewall as a client.  That would seem to qualify it for
> CORS.
>
> On 7 June 2017 at 12:23, Patrick McManus <mcmanus@ducksong.com> wrote:
> > my gut reaction: why would an expect-ct report be more subject to cors
> than
> > something like OCSP? (assuming it wasn't driven directly from content)
> >
> >
> > On Tue, Jun 6, 2017 at 6:45 PM, Emily Stark <estark@google.com> wrote:
> >>
> >> I'm looking for some feedback on
> >> https://github.com/httpwg/http-extensions/issues/356.
> >>
> >> Expect-CT violation reports are currently specified as POST requests
> with
> >> JSON bodies. When implemented in a web browser, such reports should
> arguably
> >> send CORS preflights, because the content type is not CORS-safelisted
> >> (https://www.w3.org/TR/cors/#simple-header).
> >>
> >> But sending CORS preflights for these requests doesn't really make sense
> >> from a web browser architecture perspective: CT compliance is checked as
> >> part of certificate verification and connection setup, divorced from the
> >> context one needs to send a CORS preflight (such as an Origin header).
> This
> >> is not just a theoretical layering issue; implementing preflights for
> >> Expect-CT reports in Chrome would be pretty challenging.
> >>
> >> I only see two options to resolve this, both of which seem bad to me:
> >>
> >> a) Leave the reporting part of the spec as it currently is, and leave it
> >> up to the UA to decide whether further operations such as CORS
> preflights
> >> are needed for sending reports. This would basically leave it to us in
> >> Chrome to decide either that Expect-CT reports should not be subject to
> CORS
> >> restrictions, or that we should not ship reporting. (I'm uncomfortable
> with
> >> this option because it somewhat jeopardizes the only active
> implementation
> >> effort that I know of.)
> >>
> >> b) The disgusting option: disguise Expect-CT reports as form
> submissions,
> >> which are not subject to CORS preflighting. This would mean the report
> body
> >> is sent as hostname=blah&port=443&... or we could even just send
> >> expect-ct-report=<stringified JSON blob>.
> >>
> >> Thanks,
> >> Emily
> >
> >
>
>

v2.23.0 | Report a Bug | By Email