Iframe credentialless (was: Anonymous iframe)

ArthurSonzogni commented 2 years ago

Request for position on an emerging web specification

This was previously filled as: https://lists.webkit.org/pipermail/webkit-dev/2022-April/032205.html but didn't get any replies. Since WebKit is now using this new Github Medium, I am asking again. We would appreciate your feedback. In particular, there is a recent discussion with Mozilla who suggested activating it via a sandbox flag instead.

WebKittens who can provide input: @annevk @cdumez

Information about the spec

Spec Title: Iframe credentialless
Spec URL: https://wicg.github.io/anonymous-iframe/#specification
GitHub repository: https://github.com/WICG/anonymous-iframe
Issue Tracker (if not the repository's issue tracker): https://github.com/WICG/anonymous-iframe/issues/
Explainer (if not README.md in the repository): https://wicg.github.io/anonymous-iframe/#explainer

Design reviews and vendor positions

TAG Design Review: https://github.com/w3ctag/design-reviews/issues/639
Mozilla standards-positions issue: https://github.com/mozilla/standards-positions/issues/628

Bugs tracking this feature

WebKit Bugzilla:
Radar:

Anything else we need to know

Anonymous iframes give developers a way to load documents in third party iframes using new and ephemeral contexts.

Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation.

This way, developers using COEP can now embed third party iframes that do not.

annevk commented 1 year ago

I think WebKit's storage policies are already pretty close to the desires of this feature:

Cross-site storage is already ephemeral (though it does outlast a document at the moment).
Cross-site cookies are disabled.
requestStorageAccess() is a mismatch presumably. (Filed https://github.com/WICG/anonymous-iframe/issues/16 on that.)
That cross-site documents of the same origin that are descendants of a singular top-level origin can communicate is a mismatch presumably. (Filed https://github.com/WICG/anonymous-iframe/issues/15 on that.)

I guess that Chromium doesn't mean for cross-site storage to become ephemeral?

ArthurSonzogni commented 1 year ago

Thanks @annevk !

I think WebKit's storage policies are already pretty close to the desires of this feature:

Yes, it has some similar properties indeed, which are nice!

However, at the end, the goal of iframe credentialless is to allow embedding safely non-COEP document inside a COEP one. In particular it must be safe with regards to Spectre attacks, because the parent can be crossOriginIsolated. That's the only "real" feature of iframe credentialess. Everything else are only means to this end.

From the current Safari state, if we wanted to supersede iframe credentialless and allow the embedding without it, I think we would have to:

Find a way to protect against attacks using a vulnerable cross-origin website. Every property you listed is Cross-Site, but Cross-Origin is needed instead. For instance, we don't want a vulnerability from blog.example.com to be used to leak data from accounts.example.com. The amount of security efforts developers are using is usually proportional to the value of the things they protect.
Prevent autofill and similar non-web features from leaking data into the process.
Prevent popups from leaking data into the process. This should be fine already assuming a crossOriginIsolated top-level ancestor requires COOP:same-origin.

I guess that Chromium doesn't mean for cross-site storage to become ephemeral?

I don't know myself if there are plans for this, beyond the current plan to bring in partitioning.

annevk commented 6 months ago

It has come to my attention that <iframe credentialless> is sometimes used for payment flows, despite autofill not being supported. Have you heard about this? That makes me very hesitant about this feature as it puts end users at risk, essentially training them to be phished.

ArthurSonzogni commented 6 months ago

+CC @CamilleLamy & @MikeWest, as I haven't worked on for years.</em> Payment data is not specific to the iframed's document, so there is no need to disable autofill here. Only username/password are needed. I guess clarifying <a href="https://wicg.github.io/anonymous-iframe/#proposal-autofill">this section</a> would help, even if this is about vendor specific recommandations?</p> <p>In Chrome's implementation, I remember it was <strong>explicitely</strong> decided not to. <a href="https://docs.google.com/document/d/1_EqoEtozhMjsgfB3AWVRV4jAhTqD79JF6KH5AvGvIKo/edit?tab=t.0#bookmark=id.9u0w41qtfasr">[internal design doc about autofill]</a>.</p> <details> <summary>extract</summary> **Question:** What components of autofill need to be disabled? There are several components in autofill: payment, username/password and addresses. From the design of anonymous iframe, the only component we want to disable is username and password autofill. We are interested in data both specific to the user and specific to the victim website. If the data isn’t specific to the website, then the attacker can get the same information from its own page anyway. </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 6 months ago</strong> </div> <div class="markdown-body"> <p>I think that very much depends. If you checkout through PayPal you might well have to login. But it also strikes me as very risky that some autofill functionality works and some doesn't. I don't think web developers will be able to make the right tradeoffs here as it creates a very subtle model. And web developers will just want to enable COOP+COEP and choose the most expedient route to get there.</p> <p>(Also, autofill of other data might well be domain-bound in some way.)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/adamziel"><img src="https://avatars.githubusercontent.com/u/205419?v=4" />adamziel</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <p>Lack of <code>credentialless</code> support is an issue for WebKit users browsing specific WordPress sites. You can't do these two at the same time:</p> <ul> <li>Use iframes to embed content from other sites</li> <li>Use <code>SharedArrayBuffer</code></li> </ul> <p>These two require conflicting CORP headers, but can work together with <code><iframe credentialless></code>. See <a href="https://github.com/swissspidy/media-experiments/issues/294">https://github.com/swissspidy/media-experiments/issues/294</a> for more details.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <p>Thank you, rest assured that we know how the feature works and what it enables. The problem I tried to outline above is that we don't think we can support this in a way that safeguards end users.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

WebKit / standards-positions