-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define Sec-Fetch-Frame-Ancestors
.
#89
base: main
Are you sure you want to change the base?
Conversation
This patch aims to formalize the discussion from #56, defining a `Sec-Fetch-Frame-Ancestors` header that supplements `Sec-Fetch-Site`'s exposure of the relationship between a request's initiator and the request's target with additional context about the same-siteness of context within which the request was made. This should support developers' understanding of the viability of various `SameSite` cookie settings on the one hand, and the ways in which their resources are partitioned on the other.
I wonder if we should allow for two separate pieces of information:
The platform (including our shared understanding of the envisioned platform) makes this distinction in a number of places, though perhaps it's really the latter we want everything to converge upon on given an infinite timescale so perhaps it's reasonable to just expose that. Especially given that we haven't exposed anything for so long. cc @johannhof |
I agree that the latter (relationship with all ancestors) is where things would ideally converge. It's also what we're using today to make decisions about things like I don't object to exposing the relationship to the top-level document, but it's not clear to me what kinds of decisions that would drive for a server that received the header. I would be also interested in @johannhof's take, as he's a lot closer to the partitioning work than I am these days. @arturjanc and @lweichselbaum might have thoughts from Google's server-side perspective as well. |
I think that's also where we want partitioning / third-party cookie blocking to go by default, i.e. roughly the equivalent of SameSite=None being blocked by default, with Storage Access being able to bridge it given permission. Browsers differ in implementations in practice but I do feel like there's good alignment on this goal for security reasons. The only situation where top-level really makes a difference for web developers then is ABA, right? So, if the developer understood that the resource was cross-site with its ancestors but same-site with its top-level, they might want to utilize storage access got get access to unpartitioned cookies. So I agree this could be useful. Other related efforts:
|
I'm confident that things have shifted in the past few years, but I remember talking with @krgovind and @DCtheTall about this a while ago. At that point, I suggested keeping this header the way it's defined here (e.g. processing the whole inclusive ancestor chain), and perhaps introducing some other header (e.g. Assuming those are the axes we actually care about, perhaps we could simplify to a four-state enum? Something like |
same-site-with-top-only is the A>B>A embed case? If so that sounds like good coverage, though I could imagine a frame might want to know if it's cross-site with transient storage, that seems less important. |
I like the idea of joining the enums. I think we should continue to expose the origin value(s), for websites that want to impose stricter boundaries. |
Yes, that's the case it's meant to cover.
So: |
Maybe we could return a list of applicable categories rather than just a single one? Sites that cared about things like origin could look for same-origin (or maybe even a specific category like same-origin-with-top-but-only-same-site-with-ancestors), but others could just check for same-site in the list. |
Yeah, it seems there's six states (a couple combinations don't make sense which is why it's not nine):
Or maybe:
|
@annevk: Your latter arrangement seems more conducive to good developer decision-making, but I don't have strong opinions about the naming. I do wonder whether a dictionary would be more appropriate since these really are two semi-independent axes, but being consistent with the rest of fetch metadata probably suggests the single-token approach is the right one. I think I'd prefer to avoid a list; that feels more difficult for developers to reason about, but I might not be thinking about it the way you are, @arichiv. |
I think @annevk's proposal does cover all existing cases well, my proposal for a list is more about the potential for future expansion. We are designing this based on current partitioning models but if thinking evolved and we had others to add expressing this as a list or a dictionary would be more flexible (servers that didn't care about new tokens in the list or attributes in the dictionary would just ignore them). Otherwise we might be ensuring the need for a new header entirely if partitioning models ever wanted to shift again. |
I think we're going in the right direction here but don't have anything particularly helpful to add to the bikeshed :) |
Thanks all! I'm unlikely to have a ton of time this week to poke at this PR again to incorporate feedback, but I'm on a plane for too long over the weekend. Should at least be able to solidify the spec then for another round of feedback next week. |
Thanks @mikewest, this looks broadly reasonable to me. A couple of bikesheds:
|
+1 to |
With a bit of a delay and apparently my mind elsewhere, I just came to the same conclusion as this thread 😊 . High level: An indication whether a fetch was made as a popup or not would be great. |
Hmm... I might just be missing something but how would you imagine this header to indicate whether a fetch was made from(?) a popup? :) |
Yeah, popups is #83. This is about nested documents only. |
It seems like we're trying to convey two pieces of info:
Maybe it makes sense to convey those in two separate headers, instead of merging them into the same header? If I were writing a server that used these, I think I'd have an easier time using:
than the list in #89 (comment). From a practical standpoint, the two-header version conveys the exact same information as the single-header version; there are 9 possible combos, but as Anne said, some of them are nonsense, so only 6 could actually occur. However, having just read https://www.mnot.net/blog/2018/11/27/header_compression (found in the Fetch Metadata spec), I think the two-header form would perform a bit better on the wire, since the |
This patch aims to formalize the discussion from
#56, defining a
Sec-Fetch-Frame-Ancestors
header that supplementsSec-Fetch-Site
's exposure of the relationship between a request's initiator and the request's target with additional context about the same-siteness of context within which the request was made. This should support developers' understanding of the viability of variousSameSite
cookie settings on the one hand, and the ways in which their resources are partitioned on the other.