whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.18k stars 2.71k forks source link

Order of CSP, COEP, CORP, COOP, etc. checks don't match chromium #6564

Open zcorpan opened 3 years ago

zcorpan commented 3 years ago

I wrote a test to test ordering of COEP reporting vs CSP and X-Frame-Options, and was a bit puzzled by the observed outcome in chromium. @ArthurSonzogni commented:

You compared COEP and CSPEE (CSP embedded enforcement). The real CSP check is later The current order is CSPEE < COEP < CSP in Chrome.

For now, in Chrome after receiving the navigation response:

  1. Check CSP embedded enforcement.
  2. Check COEP/CORP
  3. Check COOP vs sandbox
  4. Check download
  5. Check CSP (navigate-to, frame-src, prefetch-src, etc...) + before & after UpgradeInsecureRequest in the middle.
  6. Check CSP frame-ancestors
  7. Check X-Frame-Option

For now, my reading of the spec is:

  1. Check CSP (every directives)
  2. Check COEP
  3. Check X-Frame-Option
  4. [Check download]

Originally posted by @ArthurSonzogni in https://github.com/web-platform-tests/wpt/pull/28281#issuecomment-814948946

What do Gecko and WebKit do?

I don't see "CSP embedded enforcement" as a term in the CSP or HTML specs.

For upgrade insecure requests, I see https://fetch.spec.whatwg.org/#concept-main-fetch step 5, but don't know if it matches Chromium.

ArthurSonzogni commented 3 years ago

Firefox doesn't implement CSP embedded enforcement and I believe the spec is a "monkey-patch" that is injected into the HTML spec from: https://www.w3.org/TR/csp-embedded-enforcement/#html-integration (step 3)

@antosart @mikewest FYI.

domenic commented 3 years ago

Replying to https://github.com/web-platform-tests/wpt/pull/28281#issuecomment-814995871:

Following the current spec: checking COEP in between CSP and X-Frame-Option seems complex, because we currently check both CSP:frame-ancestors and X-Frame-Option together in Chrome. They are about the exact same thing. Moving the COEP check one step earlier in the spec would be much simpler.

Part of the issue is that the CSP specs want to handle all CSP things together. So grouping CSP: frame-ancestors and XFO is a bit unnatural.

We could probably make it work by just putting CSP-in-general and XFO together, and relying on the fact that (IIUC) the individual CSP checks do not have a defined order. So if we change the spec to COEP -> CSP -> XFO or CSP -> XFO -> COEP then implementations can always put the frame-ancestors CSP check after/before other CSP checks and thus put it together with XFO.

However, I don't know what other web implementations would prefer.

I suspect they'd be OK with changes here since COEP is relatively new (and only implemented in Gecko and Chromium). Maybe @annevk can help confirm.

ArthurSonzogni commented 3 years ago

I wrote: https://github.com/ArthurSonzogni/html/commit/3f94b829cc9aca2ee806e4d9f0b6d98d7a120d07

If @annevk is interested, I will propose this PR, and update zcorpan@ WPT test expectation.

annevk commented 3 years ago

No strong opinion, but I believe Firefox does implement CSP reporting so you can probably find out our current order. I do agree it's good to define and test order. 😊