Re: [Wpack] Sec-Content-Origin clarification question (was Re: About content-based origins)
Devin Mullins <twifkak@google.com> Wed, 25 March 2020 18:26 UTC
Return-Path: <twifkak@google.com>
X-Original-To: wpack@ietfa.amsl.com
Delivered-To: wpack@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18CF23A07D3 for <wpack@ietfa.amsl.com>; Wed, 25 Mar 2020 11:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.589
X-Spam-Level:
X-Spam-Status: No, score=-9.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkFJCsh3Bjro for <wpack@ietfa.amsl.com>; Wed, 25 Mar 2020 11:25:58 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B46C3A0C54 for <wpack@ietf.org>; Wed, 25 Mar 2020 11:25:58 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id 26so5584057wmk.1 for <wpack@ietf.org>; Wed, 25 Mar 2020 11:25:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YpBexxzcJ5WfP870V8pj+BdtdwTWq3aRiHvJ4ZMIMAg=; b=XDBaApW9YDk8Ez4IIyX7+5aCaHvc87pvkKfyQeRfWZmZcZB+StARCfRUghijzAypQI peLbYjpTD1b3zDCZksqfCfbhjkVFd+rq09+0Tn9pcNrfeKVU/BFlgN7oQW6wTgG/wmic NObPZNLMO5tpIQy6jMxfXTwn+nz0MqyO/7KE9ao1zFJ/+Gc7O05OGTgABUEhMzmcDJ6D Vt8wfKSwER9gZB4aA11OSBh+YKXbd+X9YknSZvkrRuvli47YigqpIbaInXvjLVcSz903 LekERcVpB+9h2btVKZTOTn4OArgPG4/MUaowgxz6aDl/5DGKYKONGhZ+jr+383TchK8x Gq7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YpBexxzcJ5WfP870V8pj+BdtdwTWq3aRiHvJ4ZMIMAg=; b=lvJbCHpssnbiLJlmqyB6cYOcGuXh2YazpfLfukJ5pp1wvZqdDUuDjUK2ppqmgG7SEP E2oHAAX9Cv4Iv2lKDbs/VE0hxyg/8ZcP7gQdjsIK1zUOYTgiyztC7d/0wyXY5kI08RWo 9HDb0MSgGDQeMXIa77mnnz0nFIwtvIDibMgS2STMXz1prDzvcb4Xhb4uXbZetRVKLq5C zeSgveg3kYs5j6+3n6zF7ZfyHV3/dDBDYeF3IvR4jyzydnIDzKjds5a1LVr2FaHbk3QO lHfCq7g1xItrfddeRNddVeHAfTXTbppEZpSrJfBbIOtfwE38IfoClbB0KtsqNDWw8YhA f2/w==
X-Gm-Message-State: ANhLgQ10J2X71JIKFmNzNojmrZTYOXlCow5inWHA/Nt9JsIN6gykC4SG 9Pp4r15vv5QzGs8eVpROwqBPB7OYmn/5ioHnvvZ8ng==
X-Google-Smtp-Source: ADFU+vulCzCO9LDmFCQq7NLe8SpX6hwB9EwFE25XdfaA/GUq9CN6Xw376YgC2LiGW8AEYkOcGc7W1LrvZoMe6zqcsEs=
X-Received: by 2002:a1c:f409:: with SMTP id z9mr4926682wma.51.1585160756078; Wed, 25 Mar 2020 11:25:56 -0700 (PDT)
MIME-Version: 1.0
References: <260dfc2f-8399-483e-859d-08f92821c823@www.fastmail.com> <CANjwSimZAkAC0JJBjUjZr4k0514QRqDxBReOkq_AGTeGJ2OTzQ@mail.gmail.com> <CA+9kkMAvcGNXgT=gOid=uAgzyTPsof2s2e4wPRJiz1RfLokQ=Q@mail.gmail.com>
In-Reply-To: <CA+9kkMAvcGNXgT=gOid=uAgzyTPsof2s2e4wPRJiz1RfLokQ=Q@mail.gmail.com>
From: Devin Mullins <twifkak@google.com>
Date: Wed, 25 Mar 2020 11:25:28 -0700
Message-ID: <CANjwSikHoJJrDtB3VsKU7tS9_hubeCmo7kGnyHgbT86BxQdKmg@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, wpack@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c7a1ef05a1b1ffcd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wpack/NGVN0bJLOqz3LoRacKP4Ff_3Kmk>
Subject: Re: [Wpack] Sec-Content-Origin clarification question (was Re: About content-based origins)
X-BeenThere: wpack@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Web Packaging <wpack.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpack>, <mailto:wpack-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wpack/>
List-Post: <mailto:wpack@ietf.org>
List-Help: <mailto:wpack-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpack>, <mailto:wpack-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 18:26:03 -0000
On Wed, Mar 25, 2020 at 10:28 AM Ted Hardie <ted.ietf@gmail.com> wrote: > If the ecosystem supported something like signed bundles and unsigned > bundles which used content identifiers, would you see a site sending a > Sec-Content-Origin response resulting in the user agent essentially > upgrading the bundle's treatment to the same as a signed bundle's, or would > there a third state (unsigned bundled, verified NI, signed bundle)? > If you're asking about user-agent behavior, I'll defer to folks who work on user-agents such as Martin and Jeffrey. In terms of how the framework would behave, I'm not the expert, but from the hip, I'd guess, if in all major user agents, signed bundles can access storage on their attested origin, then we'd bundle the same JS in both signed and unsigned cases. We'd have to move the state of any of our render-critical components [1] to indexedDB for unsigned, and after that, I don't see a reason to keep the non-indexedDB version around just for signed; it'd be a maintenance burden. (But I'm betting there's nuances I don't know about.) If transfer event handlers end up being a lot of code, we could optimize them away in signed bundles to save JS binary size, but I'm guessing they won't be a lot of code, therefore not worth the effort to factor the code for that ability. To make the above work, I'd think we'd need the "wait for transfer" DOM API to resolve immediately for signed bundles and non-bundled pages. Of course, with all things, this will take time. Since support for signed exchanges exists today, it would be easiest to migrate support to signed bundles initially, so I would expect a staggered rollout. I hope I answered your question! [1] or portions of the analytics/consent components, possibly >
- [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] About content-based origins Ted Hardie
- Re: [Wpack] About content-based origins Ben Schwartz
- Re: [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] About content-based origins Devin Mullins
- [Wpack] Sec-Content-Origin clarification question… Ted Hardie
- Re: [Wpack] Sec-Content-Origin clarification ques… Devin Mullins
- Re: [Wpack] Sec-Content-Origin clarification ques… Jeffrey Yasskin
- [Wpack] On double-hashing (was: Re: About content… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] About content-based origins Devin Mullins
- Re: [Wpack] About content-based origins Martin Thomson