IRC log of isolation on 2016-09-21
Timestamps are in UTC.
- 12:04:03 [RRSAgent]
- RRSAgent has joined #isolation
- 12:04:03 [RRSAgent]
- logging to http://www.w3.org/2016/09/21-isolation-irc
- 12:04:10 [JoeHallCDT1]
- mkwest: would like to talk about a few isolation proposals that have come up lately
- 12:04:11 [Zakim]
- Zakim has joined #isolation
- 12:04:16 [RobTrace]
- RobTrace has joined #isolation
- 12:04:17 [JoeHallCDT1]
- … have some goals on the Chrome team for this kind of thing
- 12:04:18 [annevk]
- annevk has joined #isolation
- 12:04:24 [JoeHallCDT1]
- … Moz does to, not sure those are the same goals
- 12:04:32 [JoeHallCDT1]
- … what are we talking about here?
- 12:04:48 [JoeHallCDT1]
- … many devs are building important, security-critical apps that they would like to be on the web
- 12:04:57 [JoeHallCDT1]
- … muchos advantages of being on the web
- 12:05:05 [JoeHallCDT1]
- … some applications, the web is v scary
- 12:05:19 [JoeHallCDT1]
- … one app, at Google, Chrome app… as opposed to a web site
- 12:05:25 [JoeHallCDT1]
- … bc afraid of being on the web
- 12:05:34 [JoeHallCDT1]
- … other entities can talk to you, not good
- 12:05:50 [JoeHallCDT1]
- … bug in the browser can allow evil.com to read state from your origin
- 12:06:07 [JoeHallCDT1]
- … [something] allows deployment on Google's servers
- 12:06:20 [JoeHallCDT1]
- … deploy as a Chrome app as opposed to web app, gave isolation properties
- 12:06:35 [JoeHallCDT1]
- … forced process isolation, impossible to accomplish direct communication
- 12:06:50 [JoeHallCDT1]
- … navigation from the web to this app is impossible, CSRF is no longer a threat
- 12:07:08 [JoeHallCDT1]
- … impossible to get a window handle to this app
- 12:07:20 [JoeHallCDT1]
- … can open, but can't post-message, send-message, look through frames
- 12:07:33 [JoeHallCDT1]
- … app opens a window, don't get a window opener back to the app
- 12:07:47 [JoeHallCDT1]
- … this seems like a failure of the web
- 12:07:54 [JoeHallCDT1]
- … shouldn't force building of a native app
- 12:07:56 [bz]
- bz has joined #isolation
- 12:08:08 [JoeHallCDT1]
- … @estark on Chrome team have been kicking around
- 12:08:18 [JoeHallCDT1]
- … some ways to apply isolation to the web
- 12:08:25 [JoeHallCDT1]
- … in ways that are compat with web, and of the web
- 12:08:31 [JoeHallCDT1]
- … document here
- 12:08:32 [mkwst]
- https://mikewest.github.io/isolation/explainer.html#isolation
- 12:08:42 [JoeHallCDT1]
- … idea is to spell out a threat model
- 12:08:48 [wseltzer]
- wseltzer has joined #isolation
- 12:08:52 [JoeHallCDT1]
- … kinds of isolation that are relevant that we'd like to provide
- 12:08:54 [wseltzer]
- rrsagent, pointer?
- 12:08:54 [RRSAgent]
- See http://www.w3.org/2016/09/21-isolation-irc#T12-08-54
- 12:08:59 [JoeHallCDT1]
- … not complete, but a good start to the convo
- 12:09:17 [wseltzer]
- rrsagent, make logs public
- 12:09:25 [JoeHallCDT1]
- … doc walks through threat model, policy options to allow web sites to implement isolation
- 12:09:36 [JoeHallCDT1]
- … and spells out the attacks this can protect against
- 12:09:39 [JoeHallCDT1]
- … a few ways this can go further
- 12:09:47 [JoeHallCDT1]
- … valuable to have a communication barrier
- 12:09:58 [JoeHallCDT1]
- … i.e., cutting off handle to windows
- 12:10:07 [JoeHallCDT1]
- … also navigation into those windows blocked
- 12:10:15 [JoeHallCDT1]
- … proposal last year Entry Point Regulation
- 12:10:21 [mkwst]
- http://www.collinjackson.com/research/papers/appisolation.pdf
- 12:10:21 [JoeHallCDT1]
- … based on:
- 12:10:25 [JoeHallCDT1]
- … ^^^
- 12:10:39 [JoeHallCDT1]
- … spells out a similar idea in terms of threat model and iso techniques
- 12:10:54 [JoeHallCDT1]
- … inspired site isolation effort in Chrome
- 12:11:04 [JoeHallCDT1]
- … allow sites to force separate processes
- 12:11:11 [JoeHallCDT1]
- … massive arch effort in Chrome
- 12:11:17 [JoeHallCDT1]
- … will be live in Chrome 55
- 12:11:33 [JoeHallCDT1]
- … want to get to a place where every site i a different process
- 12:11:51 [JoeHallCDT1]
- … need to figure out how sites can signal to a browser that they are importnat and should be a separate process
- 12:12:02 [JoeHallCDT1]
- … i.e., don't expose me to universal CSRF
- 12:12:21 [JoeHallCDT1]
- annevk: Moz mostly interested in running a document in it's own process
- 12:12:35 [JoeHallCDT1]
- … there is a sig. number of 32-bit computers out there
- 12:12:50 [JoeHallCDT1]
- … allocating large buffers can run into address exhaustion problem
- 12:13:05 [JoeHallCDT1]
- … ran into it with Unity (?) who wants to get more games on the web
- 12:13:14 [JoeHallCDT1]
- … they don't want double-keying
- 12:13:24 [JoeHallCDT1]
- … but separate processes
- 12:13:36 [JoeHallCDT1]
- … add some flag, [?]
- 12:13:45 [JoeHallCDT1]
- mkwest: talk about containers project
- 12:13:57 [JoeHallCDT1]
- annevk: containers is browser-in-a-browser idea
- 12:14:02 [JoeHallCDT1]
- … paper just linked to
- 12:14:18 [Tomoyuki]
- Tomoyuki has joined #isolation
- 12:14:20 [JoeHallCDT1]
- … open a new container tag, won't be logged into FB anymore, for example
- 12:14:35 [JoeHallCDT1]
- … everything has a container key (an extra key) added
- 12:14:42 [JoeHallCDT1]
- … separate connection pool, etc.
- 12:14:46 [JoeHallCDT1]
- mkwest: user-facing feature
- 12:15:06 [igarashi]
- igarashi has joined #isolation
- 12:15:12 [JoeHallCDT1]
- … part of inspiration here was to take the user-facing feature and make it a dev feature
- 12:15:19 [JoeHallCDT1]
- … something here would be pretty valuable
- 12:15:28 [mkwst]
- https://mikewest.github.io/origin-policy/
- 12:15:30 [dbaron]
- dbaron has joined #isolation
- 12:15:33 [JoeHallCDT1]
- … may tie this to another proposal origin policy
- 12:15:33 [jungkees]
- jungkees has joined #isolation
- 12:15:42 [JoeHallCDT1]
- ???: DPUB...
- 12:15:58 [JoeHallCDT1]
- … we don't want one book/document to influence another book/doc
- 12:16:05 [JoeHallCDT1]
- … don't want sharing of local storage
- 12:16:18 [JoeHallCDT1]
- mkwest: that's an interesting use-case
- 12:16:24 [JoeHallCDT1]
- … probably better served by sub-origin
- 12:16:39 [wseltzer]
- s/???/Leonardo
- 12:16:40 [JoeHallCDT1]
- … multiple books on a single origin… book1.books.com book2.books.com
- 12:16:40 [anssik]
- https://w3c.github.io/webappsec-suborigins/
- 12:16:42 [Tomoyuki]
- rrsagent, make minutes
- 12:16:42 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html Tomoyuki
- 12:17:03 [JoeHallCDT1]
- Leonardo: don't understand the diff between iso and sub-origins
- 12:17:11 [JoeHallCDT1]
- mkwest: iso proposes to isolate an origin entirely
- 12:17:15 [JoeHallCDT1]
- … we have SOP
- 12:17:32 [JoeHallCDT1]
- … evil.com can't get example.com's storage, but can open, post messages, etc.
- 12:18:07 [JoeHallCDT1]
- dbaron: to summarize: this is about making the restritions of SOP stronger
- 12:18:17 [JoeHallCDT1]
- … suborigins is about [?]
- 12:19:01 [JoeHallCDT1]
- mkwest: my goal is that we want to make sure folks don't have to build Chrome apps
- 12:19:16 [JoeHallCDT1]
- … what do folks want to do?
- 12:19:32 [JoeHallCDT1]
- mikeo'neil: what about the origin policy?
- 12:19:50 [JoeHallCDT1]
- mkwest: idea about origin policy is to set properties for an origin instead of a resource
- 12:20:03 [JoeHallCDT1]
- … can set a CSP for a document, but doesn't have any impact on the origin itself
- 12:20:16 [JoeHallCDT1]
- … other headers, HSTS, have origin-wide impact delivered by a resource
- 12:20:26 [wseltzer]
- mkwst: think of a manifest for an origin
- 12:20:32 [JoeHallCDT1]
- … origin policy defines a manifest for an origin
- 12:20:44 [JoeHallCDT1]
- … and a set of headers pinned to the origin
- 12:20:50 [JoeHallCDT1]
- … lives in a WK location
- 12:21:12 [JoeHallCDT1]
- … e.g., go to example.com… here's the document, go get this manifest file (synchronous request)
- 12:21:21 [JoeHallCDT1]
- … think this should be good with h2 and PUSH
- 12:21:30 [JoeHallCDT1]
- … make rq, parse manifest
- 12:22:27 [dbaron]
- s/suborigins is about [?]/suborigins is about dividing the origins more finely/
- 12:23:20 [wseltzer]
- https://mikewest.github.io/origin-policy/
- 12:24:02 [wseltzer]
- mkwst: this is origin-based, not resource-specific
- 12:24:45 [wseltzer]
- ... should probably update the navigation proposed
- 12:25:11 [wseltzer]
- @@: synchronous? like XHR?
- 12:25:17 [wseltzer]
- mkwst: async, but blocks navigation
- 12:25:30 [wseltzer]
- ... navigation does not complete until you get a response
- 12:26:00 [JoeHallCDT1]
- s/@@/Dom/
- 12:26:22 [wseltzer]
- ... the resource you're requesting has response headers that assert sthg about manifest
- 12:26:35 [wseltzer]
- ... that tells browser to get manifest (from cache, from push, from server)
- 12:26:49 [wseltzer]
- ... apply it to response befor you return from navigation/fetch
- 12:27:00 [wseltzer]
- ... I think it would be ok to apply to subresources, but room to argue
- 12:27:09 [wseltzer]
- Dom: that's the kind of reassurance was looking for
- 12:27:48 [wseltzer]
- @@: I have a page iwth a bunch of imges. One gets the header, does it block the other images?
- 12:27:58 [wseltzer]
- ... I think that will cause interop problems
- 12:28:10 [JoeHallCDT1]
- s/@@/bz/
- 12:28:11 [wseltzer]
- mkwst: goal, that this is something origin asserts when you nav to the homepage
- 12:28:37 [wseltzer]
- ... compare HSTS
- 12:28:54 [wseltzer]
- bz: failure modes if you don't apply STS might be worse
- 12:29:00 [wseltzer]
- mkwst: open to discussion
- 12:29:09 [wseltzer]
- ... something in the response causes policy to be applied
- 12:29:15 [wseltzer]
- .. might be ext resource
- 12:29:20 [aliams]
- aliams has joined #isolation
- 12:29:26 [wseltzer]
- leonardo: suborigins?
- 12:29:32 [aliams]
- present+ Ali_Alabbas
- 12:29:33 [wseltzer]
- mkwst: yet to be determined
- 12:30:41 [wseltzer]
- ... Subdomains are separate origins.
- 12:30:59 [wseltzer]
- annevk: when are you shipping this?
- 12:31:09 [wseltzer]
- mkwst: it's lots of work. I hope Moz can get there quickly from containers
- 12:31:23 [wseltzer]
- ... not shipping tomorrow
- 12:31:43 [wseltzer]
- AdrianHB: Can a server ask a browser if it supports?
- 12:32:01 [wseltzer]
- ... e.g. very important bank wants to know or tell you to dl the app
- 12:32:12 [wseltzer]
- mkwst: not yet. possibly header
- 12:32:53 [wseltzer]
- mkwst: I think it's the case htat there are browsers that can't do process separatation; and chrome isn't going to guarantee process separation
- 12:34:00 [wseltzer]
- mkwst: defense in depth
- 12:34:11 [wseltzer]
- ... this doesn't substitute for CSRF protection
- 12:34:52 [wseltzer]
- ... EPR didn't go far because people didn't like its relation to linkability on the web
- 12:35:11 [wseltzer]
- ... hope this proposal has more support because server rather than UA-forcing
- 12:36:40 [wseltzer]
- ... possibilities, make this a new element in foreign fetch
- 12:36:51 [wseltzer]
- ... trying to respond to needs and keep webby properties
- 12:37:17 [wseltzer]
- bz: how do you provide protections in such a way that they're useful if not everyone is on a freshly minted browser
- 12:37:43 [wseltzer]
- mkwst: couch it in properties we already have, e.g. x-frame-options, but can't block headers
- 12:38:01 [wseltzer]
- ... maybe isolation proposal just becomes a collection of small things
- 12:38:14 [wseltzer]
- bz: assuming you don't want to mint a new protocol
- 12:38:35 [wseltzer]
- mkwst: that's worse, would completely break compatibility
- 12:38:56 [wseltzer]
- @@: restrictions on navigations? post different from get?
- 12:39:10 [wseltzer]
- mkwst: they're both dangerous. servers clearly don't consider get idempotent
- 12:39:50 [wseltzer]
- ... if we leave it up to the server, via preflights or foreign fetch
- 12:40:08 [wseltzer]
- ... or limited declarative policy, but wouldn't treat get/post differently
- 12:40:18 [wseltzer]
- annevk: even post needs to be implemented retry-safe
- 12:40:47 [wseltzer]
- bz: can't the server always return an error page?
- 12:40:56 [wseltzer]
- ... what do they want to know that they don't know now to make that decision?
- 12:41:12 [wseltzer]
- mkwst: origin headers not sent, form posts in firefox, e.g.
- 12:41:29 [wseltzer]
- annevk: we basically need a new origin header
- 12:41:41 [wseltzer]
- ... because the current one is mostly used for CORS
- 12:42:06 [wseltzer]
- mkwst: cases where origin info is missing
- 12:42:18 [wseltzer]
- ... foreign fetch might give what they need
- 12:42:36 [wseltzer]
- annevk: foreign fetch isn't quite settled yet
- 12:42:45 [wseltzer]
- ... Apple has different cookie storage policy
- 12:43:14 [wseltzer]
- mkwst: hard to know what it means for suborigins and cookies
- 12:43:24 [wseltzer]
- ... one idea: subkey cookies
- 12:43:44 [wseltzer]
- ... what does that do to OAUTH flows
- 12:44:07 [wseltzer]
- ... killing auth makes it difficult for google to use
- 12:44:49 [wseltzer]
- @@: app manifest
- 12:45:01 [wseltzer]
- mkwst: might well be possible to merge them
- 12:45:21 [wseltzer]
- ... a few design differences
- 12:45:29 [wseltzer]
- bz: fail open, closed, or up to the server
- 12:45:38 [wseltzer]
- ... foreign fetch fails open
- 12:45:45 [wseltzer]
- ... origin header, leaves to server
- 12:45:52 [wseltzer]
- ... which do we want here?
- 12:46:47 [wseltzer]
- mkwst: several new features, we've said are optional on the client
- 12:47:07 [wseltzer]
- AdrianHB: If I can ask you to spawn new processes, that's an attack vector
- 12:47:25 [wseltzer]
- annevk: at what level do you need to know it doesn't work
- 12:48:17 [wseltzer]
- mkwst: possible where in the process that service worker comes in
- 12:50:11 [wseltzer]
- mkwst: you don't necessarily know at request time whether you have a process free
- 12:50:52 [wseltzer]
- ... private repo, I'll probably move it to WICG
- 12:50:57 [wseltzer]
- ... discuss in webappsec
- 12:51:07 [wseltzer]
- ... issues in the github repo
- 12:51:12 [wseltzer]
- rrsagent, make minutes
- 12:51:12 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html wseltzer
- 12:51:19 [JoeHallCDT]
- ty wseltzer!
- 12:51:37 [JoeHallCDT]
- JoeHallCDT has left #isolation
- 12:51:44 [bz]
- bz has left #isolation
- 12:54:42 [smaug]
- smaug has joined #isolation
- 12:58:07 [Tomoyuki]
- Tomoyuki has joined #isolation
- 13:01:41 [leonardr]
- leonardr has joined #isolation
- 13:09:47 [Tomoyuki]
- Tomoyuki has left #isolation
- 13:16:43 [bhill2]
- bhill2 has joined #isolation
- 14:34:41 [masato]
- masato has joined #isolation
- 14:35:31 [smaug]
- smaug has joined #isolation
- 14:39:12 [plinss]
- plinss has left #isolation
- 14:39:18 [plinss]
- plinss has joined #isolation
- 14:41:05 [Zakim]
- Zakim has left #isolation
- 14:45:34 [plinss]
- plinss has left #isolation
- 14:47:18 [leonardr]
- leonardr has joined #isolation
- 14:47:43 [leonardr]
- leonardr has joined #isolation
- 15:26:23 [bhill2]
- bhill2 has joined #isolation
- 15:32:19 [francois]
- francois has left #isolation
- 16:56:54 [bhill2]
- bhill2 has joined #isolation
- 17:07:21 [leonardr]
- leonardr has joined #isolation
- 17:38:22 [smaug]
- smaug has joined #isolation
- 18:01:52 [smaug]
- smaug has joined #isolation
- 20:01:04 [bhill2]
- bhill2 has joined #isolation
- 21:43:09 [bhill2_]
- bhill2_ has joined #isolation
- 22:01:17 [bhill2]
- bhill2 has joined #isolation
- 22:16:39 [smaug]
- smaug has joined #isolation
- 22:19:53 [bhill2_]
- bhill2_ has joined #isolation
- 22:21:46 [bhill2]
- bhill2 has joined #isolation
- 22:22:24 [bhill2]
- bhill2 has joined #isolation
- 22:22:48 [smaug]
- smaug has joined #isolation
- 22:23:22 [bhill2_]
- bhill2_ has joined #isolation