-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unsafe-no-cors mode #1533
base: main
Are you sure you want to change the base?
Add unsafe-no-cors mode #1533
Conversation
We identified a potential need for a more sustainable no-cors mode in discussion surrounding FedCM. The purpose is to create a browser-process priveleged mode that will not fail the Access-Control-Allow-Origin CORS checks while otherwise behaving like a normal CORS request. Here are the deviations I have made from cors mode to make unsafe-no-cors are: - do not perform the "CORS check" (ACAO/ACAC) - allow the request to set a new omit origin flag that forces omission of the Origin header - require a request to have a policy container specified (via the client is allowed) - require the service worker mode to not be all Because this is such an unsafe mode I added an explanation inline with the other definitions of request modes and a warning about concerns and hand-waves about the client's agent cluster. Happy to get feedback on this draft!
Reading your draft I think you and I might have understood the outcome of the meeting differently. Here's what I think:
|
I think we understood the same thing at the end of the meeting, by my understanding diverged with the days between the meeting and when I sat down to draft and my own poor note-taking. I will take another pass to more closely reflect the version you describe in your first two bullets.
I don't think that's quite what I'm doing. I made two distinct changes wrt policy containers:
I was thinking that the caller using unsafe-no-cors would construct or have available a global or environment that is the "main process" context and be able to use that. That felt out of the scope of this spec, aside from the warning I added, since the request's client is an argument. |
Right, but you are changing the type of argument here. So all callers would need to start passing in a different argument as well and I guess we're hoping/knowing that we need nothing that isn't available on a policy container? |
Ah, I missed that the algorithm definition is export. |
"stable no-cors" vision
Alright, I'm about to upload a new version that is more in line with a "stable no-cors" vision. The diff looks small because some of the algorithms actually just work the way we want when a new enum value is added without any change needed. For example, in no-cors specific checks like "Cross-Origin-Embedder-Policy allows credentials" we are exempt because we are not "no-cors". I still need to consider the ECMAScript and HTML integration and sort out the neatest way to get caller-control over the presence of the Origin header in unsafe-no-cors. However, I think this benefits from share-early-share-often, if only to keep visibility into the thought process. |
fetch.bs
Outdated
@@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>. | |||
<dt>"<code>navigate</code>" | |||
<dd>This is a special mode used only when <a>navigating</a> between documents. | |||
|
|||
<dt>"<code>unsafe-no-cors</code>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider naming this something like "host-no-cors" or "ua-no-cors" or something else that indicates what purpose it serves. Just "unsafe" is likely to scare off people who should use it, and not dissuade overconfident people who think they know what they're doing. Since this is only for use in web standards, that'll get caught eventually in spec review, but that could be much later than we want, and a better name could move the right design earlier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unsafe-no-cors
was @annevk's name for it, so I'll defer to him for a renaming decision.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think unsafe is exactly right given that it exposes the contents of the response in the process it was invoked in. It's a name that is supposed to make you ask your peers for advice. I don't think host or ua has that kind of effect, especially since we don't have clearly delineated "host/ua agent clusters".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, the point of this mode is that it must only be used from the browser process or an equivalently-trusted process, so the response was already exposed there. If it's invoked by that sort of caller, are there any situations where it would still be unsafe?
I have a general rule to avoid "unsafe" and "safe" in naming, since they usually refer to just one kind of safety that was salient to the original author (here, exposure of resource bytes, I think), and future users tend to assume a different kind of safety and so get into trouble.
We could be more specific about what's unsafe instead of trying to name according to the intended caller. E.g. "no-cors-override-exposure-policies". But I suspect that naming according to the intended caller will make it easier to figure out how to maintain this mode's behavior in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I follow the policy that we use for introducing "unsafe" in various places in the web platform. Namely that it requires additional attention. Is easy to lint, etc.
It also very much depends on what happens with the response bytes, how the request is setup, etc.
One point against "unsafe" here might be that it's not useful to web developers as this value is also exposed to them. From that perspective "user-agent-no-cors" is prolly better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One point against "unsafe" here might be that it's not useful to web developers as this value is also exposed to them. From that perspective "user-agent-no-cors" is prolly better.
Just to double check: do I understand it correctly that this is also going to be exposed to web developers (as Sec-Fetch-Mode=unsafe-no-cors
), in addition to browser engineers?
If so, the name shouldn't trigger suspicion by the web developer (who should trust that the spec was written in a careful and thoughtful way, rather than something that the developer has to re-check again), right?
From that perspective "user-agent-no-cors" is prolly better.
Right. user-agent-no-cors
would make it do and I think would also address @jyasskin 's point (and @annevk 's, to trigger spec reviewers to look carefully).
FWIW, mediated-no-cors
could work too for me, just as a suggestion (user-agent-no-cors
works too I think).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. I think in this case since web developers are not making the unsafe decision it's indeed probably best if they don't see the word unsafe. I think there are other cases though where web developers seeing the word unsafe is good, e.g., unsafe-eval
.
I like user-agent-no-cors
best still.
fetch.bs
Outdated
@@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>. | |||
<dt>"<code>navigate</code>" | |||
<dd>This is a special mode used only when <a>navigating</a> between documents. | |||
|
|||
<dt>"<code>unsafe-no-cors</code>" | |||
<dd>This is a special mode for the <a>host environment</a> to use internally to wittingly make |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is "host environment" the right term? It's odd to borrow a Javascript term for something in Fetch that's not integrated in any other way with Javascript infrastructure. I might just use [=user agent=].
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reached for "host environment" because I was talking about agent clusters in the warning and also mentioned the host environment there. I'll change this reference to [=user agent=], but do you think I should leave the reference in the warning alone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would probably change both to "user agent" or say something about the required memory isolation in the warning, but I don't feel strongly about it. I think we really want something about how trusted the other code in that agent cluster's process is, but I don't think we have the right terms defined for that, and I don't think this change needs to block on thinking through and defining those.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay. I'm changing the warning to be "user agent" as well and mention memory isolation explicitly, rather than directly call in Javascript concepts.
In the documentation for the new mode, we should probably also mention that the request is made from a context that is in some way "detached" from the document/client environment settings object. Regarding the rest of the spec, this entails at least two things:
|
I think so. I'm adding the conditioned assertion into fetch. RE: the Origin discussion: This is a shortcoming of this PR and I need to add a new member to request to permit forced Origin header elision.
I am open to either solution here. I think if there is an expectation that the "client" is a snapshot of some variety, that should be clear and able to be relied upon, so I lean that direction. However, a null client should be applicable here. Looking through the spec there are only a couple of instances where a null client raises my attention and I am curious how they are handled currently:
I would expect most uses to have a "window" of "no-window" but do not see a reason to exclude other values. |
Converted to |
When you say "which is already in the spec as a possible argument," do you mean that we expect all |
I meant that this spec already supports a |
I guess we need to make a decision regarding what to do with Snapshotting clientIf we decide that snapshotting ESO is a good idea, then I think this means every user of these kinds of requests would be responsible for snapshotting some ESO themselves as the request's client (or maybe the Fetch entrypoint could try and implicitly do it somehow?). Some concerns:
In any case, this approach is simple in for the Always null clientIf we decide against the snapshot ESO idea and instead require So if we went this route we'd probably want to assert that an explicit policy container + any other interesting state gets explicitly passed in on the request. That state would likely just be a clone/snapshot of the Document's policy container and additional state, which isn't any better than the snapshotting ESO idea above.
Given all of this, I too lean in the direction of assuming that unless explicitly passed in, the request's client is a snapshot of the associated Document's ESO. But we should gather more feedback, perhaps @annevk has opinions? Also, it would be great to more explicitly lay-out the integration that this has with #1442 and whatever response-blocking technology already exists (I'm told CORB no longer lives in Fetch, so maybe there is none?), to get a feel for what major behavior change this would entail especially for implementers. Is it simply the fact that |
@@ -4039,7 +4071,9 @@ the request. | |||
<a for="environment settings object">global object</a> is a {{Window}} object; otherwise | |||
"<code>no-window</code>". | |||
|
|||
<li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>", then set | |||
<li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>" and either | |||
<var>request</var>'s <a for=request>mode</a> is not "<code>user-agent-no-cors</code>" or |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an "or and" in this sentence (and I cannot decide whether it should be "or" or "and")
Based on conversations at TPAC, cookie layering work looks like it will solve this eventually. Closing this for completeness. |
I'm not sure. The motivation for this was some discussion around FedCM fetch requests, of which there are two interesting ones:
We agreed that the ID assertion fetch can use CORS and can piggyback off of the cookie layering work to send SameSite=None cookies. But the accounts list fetch I think is still somewhat unsolved. That either has to:
I'll re-open until we discuss the accounts fetch solution more, if that's alright. |
We identified a potential need for a more sustainable no-cors mode in discussion surrounding FedCM. The purpose is to create a browser-process priveleged mode that will not fail the Access-Control-Allow-Origin CORS checks while otherwise behaving like a normal CORS request.
Here are the deviations I have made from cors mode to make unsafe-no-cors are:
Because this is such an unsafe mode I added an explanation inline with the other definitions of request modes and a warning about concerns and hand-waves about the client's agent cluster.
Happy to get feedback on this draft!
*
*
Preview | Diff