-
Notifications
You must be signed in to change notification settings - Fork 11
Conversation
This change introduces "reporting endpoint" concept which will be used as an reporting endpoint for potential COEP violations. Reporting behavior will be specified in future changes. Discussed at whatwg/html#5100.
This should probably follow the convention in #2 |
I'll do that after that change lands. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this patch! I have a few questions:
- Do we need a report-only mode? ( @arturjanc )
- We could do this in one header rather than two (or four, if
report-only
is a thing). Wouldn't a param be simpler?
Thank you!
What do you mean by report-only mode here? I'm planning to introduce the following behaviors:
I thought the third settings would be the "report-only" mode.
I'm fine with this. |
Got it. I'm fine with that. It's a little distinct from CSP, but that's not necessarily a bad thing. If we go that route, the single-header variant I've suggested above would require introducing a new token. Perhaps |
I fixed the header parsing part (I haven't changed the properties on context objects yet). Mike, can you take a look at that part? |
Now I think I addressed your comment. PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty reasonable to me. I'd like @annevk's opinion as well, as I think he disagrees about the header syntax, and we should probably chat about it rather than just landing this. :)
I think you've settled this already, but just mentioning that the approach above looks good to me (the 4 behaviors mentioned by @yutakahirano, possibly updated if we decide to go with the single-header variant). In general, I'd posit that there are a lot of benefits to having a report-only mode for everything :) |
Does anyone have some examples to evaluate? I find the diff a little hard to read. |
Accept mikewset's suggestion Co-Authored-By: Mike West <mike@mikewest.org>
Accept mikewest's suggestion Co-Authored-By: Mike West <mike@mikewest.org>
This change:
COEP headers now look like:
This change does NOT include how the reporting endpoint is used. I'm going to publish another PR for that part. @annevk, does this summary help? |
I would like the syntax to be aligned with COOP reporting. @camillelamy, are you fine with the proposal? |
The summary is great, thanks again! After discussion on IRC I think I'm okay with this approach, as we'll likely keep COOP and COEP scoped to a simple enumerated value. If anyone foresees them using more complex values, now would be the time to bring that up. (If the value can be more complex, I think you want more headers eventually, as explained in https://github.com/w3c/webappsec-feature-policy/issues/362#issuecomment-582302307.) |
@yutakahirano the |
@zcorpan Yes, thanks. Fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with this % the discussion of parameter types. If @camillelamy and team are happy too, I'll pull it in.
Our proposal for COOP does not have the same syntax. Currently we're looking at 3 headers:
We could move to a model closer to the one you propose. but we'd still have two headers:
This is because COOP has 3 values, so we cannot make the assumption that unsafe-none + an endpoint means we want a report only mode for same-origin (it could be same-origin-allow-popups). The problem I see with the current approach for COEP is that if we want to add another value to the header, the report-only mode doesn't work anymore (like it wouldn't with COOP). If we foresee the need to eventually add another value, we should allow the developer to specify explicitly which policy they want report-only mode for instead of making this deduction. |
Thanks Camille! @yutakahirano had an idea for that problem when COEP gets to it, but now you contrast it with COOP I think we ought to solve it now so we can have a consistent reporting story across these two features. |
Thank you, Camille. Does the following work? cross-origin-opener-policy: policy; reporting_as=another policy; reporting_to=endpoint I'm also fine with the two-headers version. The three-headers version seems too verbose to me. |
I think the two headers version matches what CSP is doing, right? If I'm not mistaken, CSP has two headers: Content-Security-Policy and Content-Security-Policy-Report-Only. It might be easier for developers to have the same model for COOP and COEP? |
Fixed. Now we have two headers: "Cross-Origin-Embedder-Policy" (COEP) and "Cross-Origin-Embedder-Policy-Report-Only" (COEP-Report-Only). I removed "unsafe-none" value from the header(s). Cross-Origin-Embedder-Policy-Report-Only is ignored if there is (valid) Cross-Origin-Embedder-Policy attached; Hence there are four modes:
The "embedder policy" concept consists of value (either "require-corp" and "unsafe-none"), and reporting endpoint. Unlike the pair of headers above, this concept covers all modes by itself.
The embedder policy concept is not exposed to HTTP, so if the syntax grows we can change the concept without breaking things. @mikewest @annevk @camillelamy Are you fine with the latest change? |
Thanks! I am happy with the latest version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM % one comment.
index.bs
Outdated
|
||
1. Set |header| to the result of [=isomorphic decoding=] |header|. | ||
2. Return a new [=/embedder policy=] whose [=embedder policy/value] is |parsed item|'s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that COEPRO
is ignored in the presence of COEP
. This is probably fine for the moment, since there's only one value, but would make it difficult to support enforcement of one value and reporting on another if we have multiple values in the future.
Perhaps add a note to that effect? I'm not sure it's worth adding complexity until we need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say COEPRO is ignored if its value is equal to or weaker than the COEP value. That rule is natural, and we'll want to keep the rule even when we introduce more values. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- That's not the way CSP works.
- What do we do with
COEP: require-corp\nCOEPRO: require-corp; report-to=whatever
? Should that not send reports?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... so you prefer having two values and endpoints. I'll try to modify the logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we will need to have two values and endpoints to support both enforce and report-only at the same time. I don't think that's actually relevant to any developer's life until we have multiple values (I have require-cors
in the back of my head (because a value with a one-character difference to create radical behavioral differences is a great spelling option)), so I wouldn't mind explicitly punting on it. But doing it now certainly wouldn't be wasted effort.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Now the embedder policy concept has four members.
- value
- reporting endpoint
- report only value
- report only reporting endpoint
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reporting endpoint / report only reporting endpoint is not set if value / report only value is not "require-corp" but it doesn't affect the behavior because we'll have nothing to report for "unsafe-none".
ping? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Let's land this and continue iterating. :)
Thank you! |
Being proposed as WICG/cross-origin-embedder-policy#8. This CL introduces a new mojo struct, CrossOriginEmbedderPolicyWithReporting to group related values. It has (virtually trivial) type mapping, because mojo::[Inlined]StructPtr is initialized as null while we don't want to allow null for CrossOriginEmbedderPolicyWithReporting. Bug: 1052764 Change-Id: I1985f24386c9dd3f76bfd2bab395b9103d14a4ff Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2060090 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#744490}
This change introduces "reporting endpoint" concept which will be used as an
reporting endpoint for potential COEP violations.
Reporting behavior will be specified in future changes.
Discussed at whatwg/html#5100.