Strengthen requirements on CORS-safelisted request-headers #736
Conversation
annevk
added
the
needs tests
|
@johnwilander @mikewest @ckerschb @bzbarsky I'd appreciate your review. @sicking this goes against what you advocated for in #313, but given Safari's success in locking this down and given that there continue to be security bugs in this area due to it not being locked down I think this is the responsible path forward. |
| </dl> | ||
|
|
||
| <li><p>If <var>value</var>'s <a for="byte sequence">length</a> is greater than 128, then return | ||
| false. |
There was a problem hiding this comment.
This is one step that Safari does not have, but it would help to have it to make it harder for attackers to determine cookie size and such.
There was a problem hiding this comment.
Don't we need to think about the total length of all headers, rather than the length of each header?
There was a problem hiding this comment.
Yeah, if we keep adding headers to this safelist that would indeed become a concern. Otherwise I was thinking that a low enough individual limit would make that unneeded.
|
@yutakahirano I looked at all callers of CORS-safelisted request-header and considered an alternative design whereby the input is a header list and the output is a list of headers that are not safelisted. That way we could have an overall size limit and if it is reached we'd just not safelist anything. However, the one problem with this approach is the Perhaps the solution to that is that we freeze " |
annevk
force-pushed
the
annevk/cors-safelisted-request-header
branch
3 times, most recently
from
8c2a14f
to
bcca834
Compare
|
I've pushed some commits that illustrate my above comment. I also filed #748 as a follow-up. Would love feedback from @yutakahirano @wanderview @chenjj and folks I tagged earlier. |
annevk
force-pushed
the
annevk/cors-safelisted-request-header
branch
from
121c13d
to
6a8e844
Compare
| @@ -414,38 +414,92 @@ each other by 0x2C 0x20, in order. | |||
|
|
|||
| <hr> | |||
|
|
|||
| <p id=simple-header>A <dfn export>CORS-safelisted request-header</dfn> is a <a for=/>header</a> | |||
| whose <a for=header>name</a> is a <a>byte-case-insensitive</a> match for one of | |||
| <p id=simple-header>To determine whether a <a for=/>header</a> <var>header</var> is a | |||
There was a problem hiding this comment.
Did you intent to produce text that says "header header" with the first header linked?
There was a problem hiding this comment.
Oh, I guess this is just <type> <var name>. Its just confusing to me when the type and variable name are identical.
|
I wrote tests for this at web-platform-tests/wpt#11432. I'm assuming at this point that Chrome and Firefox are on board with implementing this, but I'll give it some more time before landing all the things. |
This should reduce the attack surface of non-preflighted requests quite a bit. Tests: web-platform-tests/wpt#11432. Fixes #382. Closes #313.
annevk
force-pushed
the
annevk/cors-safelisted-request-header
branch
from
6800438
to
603ca21
Compare
|
I think this is good now. I'm planning on keeping this as 3 distinct commits since they're somewhat separate features, but all the tests are grouped. |
|
This looks good to me |
annevk
removed
the
needs tests
…ns, a=testonly Automatic update from web-platform-testsFetch: tests for further CORS restrictions For whatwg/fetch#736. -- wpt-commits: a70e655d979df85b59e977b61361c0d6d8bf2bf2 wpt-pr: 11432
…ns, a=testonly Automatic update from web-platform-testsFetch: tests for further CORS restrictions For whatwg/fetch#736. -- wpt-commits: a70e655d979df85b59e977b61361c0d6d8bf2bf2 wpt-pr: 11432
With this CL, some request headers that used to be treated as CORS-safelisted are not CORS-safelisted any more. Specifically, - "accept", "accept-language" and "content-language" have a stronger check on its value - All headers whose value exceeds 128 bytes are treated as not CORS-safelisted - If the sum of value length of CORS-safelisted headers exceeds 1024, then all of them are treated as not CORS-safelisted. This CL also implements https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header. This is for whatwg/fetch#736. Bug: 824130 Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: Ib12a7dbff6367717a43130ae59304dca55b7bf4e Reviewed-on: https://chromium-review.googlesource.com/1196563 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#589153}
This reverts commit 074455d. Reason for revert: Suspected of causing check failures across a variety of tests on the Android CFI bot. See https://crbug.com/881538 for more details. Original change's description: > Strengthen requirements on CORS-safelisted request-headers > > With this CL, some request headers that used to be treated as > CORS-safelisted are not CORS-safelisted any more. Specifically, > > - "accept", "accept-language" and "content-language" have a stronger > check on its value > - All headers whose value exceeds 128 bytes are treated as not > CORS-safelisted > - If the sum of value length of CORS-safelisted headers exceeds 1024, > then all of them are treated as not CORS-safelisted. > > This CL also implements > https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header. > > This is for whatwg/fetch#736. > > Bug: 824130 > Cq-Include-Trybots: luci.chromium.try:linux_mojo > Change-Id: Ib12a7dbff6367717a43130ae59304dca55b7bf4e > Reviewed-on: https://chromium-review.googlesource.com/1196563 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> > Cr-Commit-Position: refs/heads/master@{#589153} TBR=toyoshim@chromium.org,yhirano@chromium.org Change-Id: I9952df291ff0aeaab0b50c6cff3de418b2272e71 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 824130, 881538 Cq-Include-Trybots: luci.chromium.try:linux_mojo Reviewed-on: https://chromium-review.googlesource.com/1211958 Reviewed-by: Justin Donnelly <jdonnelly@chromium.org> Commit-Queue: Justin Donnelly <jdonnelly@chromium.org> Cr-Commit-Position: refs/heads/master@{#589323}
This is a reland of 074455d Original change's description: > Strengthen requirements on CORS-safelisted request-headers > > With this CL, some request headers that used to be treated as > CORS-safelisted are not CORS-safelisted any more. Specifically, > > - "accept", "accept-language" and "content-language" have a stronger > check on its value > - All headers whose value exceeds 128 bytes are treated as not > CORS-safelisted > - If the sum of value length of CORS-safelisted headers exceeds 1024, > then all of them are treated as not CORS-safelisted. > > This CL also implements > https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header. > > This is for whatwg/fetch#736. > > Bug: 824130 > Cq-Include-Trybots: luci.chromium.try:linux_mojo > Change-Id: Ib12a7dbff6367717a43130ae59304dca55b7bf4e > Reviewed-on: https://chromium-review.googlesource.com/1196563 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> > Cr-Commit-Position: refs/heads/master@{#589153} Bug: 824130 Change-Id: Ia5caad12a51ee44713cf4cf11f42b1fc9ab831a9 Cq-Include-Trybots: luci.chromium.try:linux_mojo Tbr: toyoshim@chromium.org Reviewed-on: https://chromium-review.googlesource.com/1212425 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#589434}
…a "safelisted headers" rules, a=testonly Automatic update from web-platform-testsFetch: align CORS test with new "safelisted headers" rules See whatwg/fetch#736 for context. -- wpt-commits: efa5cebbd4a2b5df055a12212c534b13052154b8 wpt-pr: 12797
…a "safelisted headers" rules, a=testonly Automatic update from web-platform-testsFetch: align CORS test with new "safelisted headers" rules See whatwg/fetch#736 for context. -- wpt-commits: efa5cebbd4a2b5df055a12212c534b13052154b8 wpt-pr: 12797
…a "safelisted headers" rules, a=testonly Automatic update from web-platform-testsFetch: align CORS test with new "safelisted headers" rules See whatwg/fetch#736 for context. -- wpt-commits: efa5cebbd4a2b5df055a12212c534b13052154b8 wpt-pr: 12797 UltraBlame original commit: 73dd9c2269361e4965ea1ab1f8eadc2addc9b934
…a "safelisted headers" rules, a=testonly Automatic update from web-platform-testsFetch: align CORS test with new "safelisted headers" rules See whatwg/fetch#736 for context. -- wpt-commits: efa5cebbd4a2b5df055a12212c534b13052154b8 wpt-pr: 12797 UltraBlame original commit: 73dd9c2269361e4965ea1ab1f8eadc2addc9b934
…a "safelisted headers" rules, a=testonly Automatic update from web-platform-testsFetch: align CORS test with new "safelisted headers" rules See whatwg/fetch#736 for context. -- wpt-commits: efa5cebbd4a2b5df055a12212c534b13052154b8 wpt-pr: 12797 UltraBlame original commit: 73dd9c2269361e4965ea1ab1f8eadc2addc9b934
This should reduce the attack surface of non-preflighted requests quite a bit.
Fixes #382. Closes #313.
Preview | Diff