Header for dissalowing SW registration (and implicitly removing SWs)? #224
Comments
|
Will attempt to capture the major issues involved here. First, background for those just tuning in:
The remaining threats revolve around compromised same-origin content. The naive version of this (which has been discussed at length) is the university homedir scenario. It's already the case that this content has full authority relative to other content on the origin, but SW's potentially exacerbate this. Another scenario worth considering is a transient pwning: a malicious SW could be served from the location of an (otherwise valid) image URL. Since it won't successfully update once the hole is closed, it may appear silent to site owners and users might be pwn'd for a long time. It was proposed at one point to remove SWs on 4xx responses, but this doesn't address the correct-but-doesn't-parse cloaking (and significantly complicates multi-datacenter rollouts). The proposed mitigations for these scenarios are:
|
|
It doesn't seem like the header would help for a shared host (e.g. university homedirs) that allows directories to set their own headers, e.g. using PHP. How about instead having the highest allowed SW scope be set by the path of the SW? For example, if the SW is hosted at https://example.com/sw.js, then https://example.com/foo/bar.html should be allowed to register that SW for any same-origin scope, including '/*'. But if the SW is hosted at https://example.com/foo/sw.js, then the highest allowed scope would be '/foo/'. Thus you would only be able to intercept content in the same directory or subdirectories of the location of the SW, which it is more likely that the author of the SW already has access to. |
|
It's a tricky problem. Limiting the scope to be under the current path, with no escape via a header, would prevent sites like https://mail.google.com/mail/u/0/, https://github.com/slightlyoff/ServiceWorker/issues, and http://www.yelp.com/biz/the-original-ghirardelli-ice-cream-and-chocolate-shop-san-francisco from registering a single service worker for their whole site given a deep link. They'd probably have to redirect through the root on every request that didn't already have an active service worker. Using a header to set a more permissive maximum scope would leave the university sites broken, but it might let more sites like rawgit.com keep working by default. I suspect @slightlyoff prefers the opposite default at least partly because https://tools.ietf.org/html/rfc6454#section-3.4.3 recommends against trying to subdivide origins. However, I'm still worried about the now-stronger requirement that sites need to isolate each user to their own sub-domain or serve this new header. What fraction of the web is this going to make exploitable? |
I think @johnmellor is proposing preventing registration for scopes parent to the service worker js file, not scopes parent to the registering page. It does solve the homedrive issue. Being able to put a file there becomes "proof" of ownership. Pretty sure we had a discussion about this already, but can't find it. Here are the issues:
|
|
As for the SW CSP stuff, there's a discussion over at #113 |
|
I vote for sticking to origin based policies and a HTTP header to allow/disallow registrations. https://tools.ietf.org/html/rfc6454#section-3.4.3 is based on a number of previous bad experiences trying to get anything more finer-grained than origins. Lets stick to origins and if sites want finer-grained isolation, then can use sub-origins http://www.chromium.org/developers/design-documents/per-page-suborigins |
|
Fundamentally insecure sites that don't control outbound headers can't be helped, I think. Nearly all other origin-based resources (IDB, storage, etc.) can be poisoned. Restricting SWs here only changes the scope of the poisoning. I'd previously considered the path restriction (can't quickly find the bug where I proposed it) but ended up deciding against it based on the ability of evil content on an origin to screw with so many other aspects of content for that origin. The argument from defense in depth is intresting to me, though. |
Poisoning at least requires you to find a vulnerable script that reads and evals (or similar) a value from storage. Whereas installing a SW grants you god-mode on all future requests to the origin. If we don't want to split origins based on paths (and I understand there are good reasons for this), then perhaps the best mitigation is to require Service Worker scripts to always be located in the root directory? |
|
This would difficult usage... What about like CSS, where paths are relative |
|
@piranna : agreed. The better alternative (which I had previously considered) is to not allow the page to register for a scope broader than it's current-path-component + "/*". Constraining the location of the script itself doesn't buy you much. The real issue is the scope. There will always be ways to trick a well-written worker script into doing "bad" things when under the control of an attacker. The only meaningful defense is to ensure that attackers can only attack themselves. The path restriction on scope has the benefit of perhaps enabling sites like github.io from not needing to freak out as soon as a browser supports SWs. Have opened #253 to discuss further. I'd like to refocus this issue on design for headers for detection/remediation/control. We clearly need them as well. |
|
I don't see how the CSS argument makes sense. If it is associated with a document and that document is associated with a service worker, that service worker will see all requests. |
|
I asking about using a similar scheme to how CSS works, where the referenced paths (for example for images) are relatives to the CSS file. In that case, paths would be relatives to the SW file. This way we can use the same SW from |
|
No. |
|
Chromium now appends a 'Service-Worker: script' header to SW script requests (but not its imports). This header can be used by administrators to block registrations. Is such a header still considered necessary or useful? |
|
Cannot really think of a good reason why in the TLS-only, same-origin world. |
|
This sort of header would be useful for detecting and recovering from XSS, which is still a risk in the TLS-only world. I have to defer to @metromoxie, etc. to say whether this particular header is the right way to do it. |
|
How would you inject a service worker? It has to be a networked same-origin resource. We will likely add the ability to disable service workers through CSP. They have their own request context. |
|
The attack would require:
An example of this would be a comment on an article that allows script execution, and also has an endpoint on the origin that displays the comment content. Setting a CSP directive after the attack doesn't work. The site owner would need to identify all the locations users are requesting serviceworkers from, and return an serivceworker that unregisters itself. In the past I've suggested requiring a valid javascript mime type for serivceworkers to reduce the possibiility of this attack. As for the header itself (if we still think we need it), I think |
|
Were we not going to require a valid JavaScript MIME type for service workers? |
|
(If we do end up needing a header here, per http://lists.w3.org/Archives/Public/ietf-http-wg/2010OctDec/thread.html#msg105 there's something called a Purpose header, but maybe the semantics are slightly off.) |
|
Oh, didn't realise we decided on requiring a JS mime type. Makes sense to me. Great. So, I guess the remaining "attack" is a homedir system where the origin gets sericeworker'd because the site owner didn't set CSP to block serviceworkers. They'd need to find all the SW update requests and serve an unregistration script. Would it be easier if the "no serivceworker" CSP header also unregistered serviceworkers? Those headers can't be spoofed when checking the SW for updates. |
|
Yeah, if you have a CSP network level header that forbids SW, it would make sense if any existing SWs for that origin were nuked. |
|
Not sure nuking all on the origin makes sense, but certainly registrations using that use that url for SW updates. |
|
I talked to @slightlyoff, and I think we both came away believing that if:
@slightlyoff made the point that we need some XSS-recovery technique before shipping Service Workers, that we want to ship SWs soon, and that something like the I'm curious if the folks implementing this and the CSP spec editors agree with Alex's estimate of the timelines. It'd definitely be nice to only ship one way of doing the same thing. |
|
@mikewest how quickly do you think we can get CSP to block serviceworker? We're looking for a header to block registrations & unregister if the header appears on updates. Feels uncontentious to me. |
|
I've started a thread on webappsec to talk about the CSP approach to this. I think that's independent of whether to include the |
|
I think we should keep including this (or something like it) in order to On Mon, Jul 21, 2014 at 7:39 PM, Jeffrey Yasskin notifications@github.com
|
This is based on a suggestion in http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0102.html which is similar to a suggestion in w3c#224 (comment). The CH- prefix matches the Client-Hint pattern in a couple other specs, including CH-CSP. Lower-case "serviceworker" matches the list of contexts in Fetch: http://fetch.spec.whatwg.org/#concept-request-context
This is based on a suggestion in http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0102.html which is similar to a suggestion in w3c#224 (comment). The CH- prefix matches the Client-Hint pattern in a couple other specs, including CH-CSP. Lower-case "serviceworker" matches the list of contexts in Fetch: http://fetch.spec.whatwg.org/#concept-request-context
…vice Worker at that scriptURL. Joshua Peek suggested that this should work (http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0109.html) because `sandbox` gives the resource a unique origin, which combines with Service Workers' same-origin policy to disallow execution. See w3c#113 and w3c#224.
…vice Worker at that scriptURL. Joshua Peek suggested that this should work (http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0109.html) because `sandbox` gives the resource a unique origin, which combines with Service Workers' same-origin policy to disallow execution. See w3c#113 and w3c#224.
|
I'll work on a draft to suggest how we should use the labels and milestones. enhancement: anything that was assessed as not having any impact on milestone 1 decisions and can therefore be safely discussed, rejected or prioritized later. milestone: to mark items we agreed to get done in principle by a given revision. I would argue that we should only focus on the current milestone and leave the rest without specific milestones. |
|
@mikewest Am I right in thinking the CSP that prevent service worker reg is |
Pending discussion of CSP policy, it seems as though we should either craft the CSP support in such a way as to dissalow registration of SW's based on header (e.g., so that rawgithub.io can continue to function) and potentially unregister existing SW's when it encounters such a directive.
/cc @jakearchibald @mikewest
The text was updated successfully, but these errors were encountered: