IRC log of isolation on 2016-09-21

Timestamps are in UTC.

12:04:03 [RRSAgent]
RRSAgent has joined #isolation
12:04:03 [RRSAgent]
logging to http://www.w3.org/2016/09/21-isolation-irc
12:04:10 [JoeHallCDT1]
mkwest: would like to talk about a few isolation proposals that have come up lately
12:04:11 [Zakim]
Zakim has joined #isolation
12:04:16 [RobTrace]
RobTrace has joined #isolation
12:04:17 [JoeHallCDT1]
… have some goals on the Chrome team for this kind of thing
12:04:18 [annevk]
annevk has joined #isolation
12:04:24 [JoeHallCDT1]
… Moz does to, not sure those are the same goals
12:04:32 [JoeHallCDT1]
… what are we talking about here?
12:04:48 [JoeHallCDT1]
… many devs are building important, security-critical apps that they would like to be on the web
12:04:57 [JoeHallCDT1]
… muchos advantages of being on the web
12:05:05 [JoeHallCDT1]
… some applications, the web is v scary
12:05:19 [JoeHallCDT1]
… one app, at Google, Chrome app… as opposed to a web site
12:05:25 [JoeHallCDT1]
… bc afraid of being on the web
12:05:34 [JoeHallCDT1]
… other entities can talk to you, not good
12:05:50 [JoeHallCDT1]
… bug in the browser can allow evil.com to read state from your origin
12:06:07 [JoeHallCDT1]
… [something] allows deployment on Google's servers
12:06:20 [JoeHallCDT1]
… deploy as a Chrome app as opposed to web app, gave isolation properties
12:06:35 [JoeHallCDT1]
… forced process isolation, impossible to accomplish direct communication
12:06:50 [JoeHallCDT1]
… navigation from the web to this app is impossible, CSRF is no longer a threat
12:07:08 [JoeHallCDT1]
… impossible to get a window handle to this app
12:07:20 [JoeHallCDT1]
… can open, but can't post-message, send-message, look through frames
12:07:33 [JoeHallCDT1]
… app opens a window, don't get a window opener back to the app
12:07:47 [JoeHallCDT1]
… this seems like a failure of the web
12:07:54 [JoeHallCDT1]
… shouldn't force building of a native app
12:07:56 [bz]
bz has joined #isolation
12:08:08 [JoeHallCDT1]
… @estark on Chrome team have been kicking around
12:08:18 [JoeHallCDT1]
… some ways to apply isolation to the web
12:08:25 [JoeHallCDT1]
… in ways that are compat with web, and of the web
12:08:31 [JoeHallCDT1]
… document here
12:08:32 [mkwst]
https://mikewest.github.io/isolation/explainer.html#isolation
12:08:42 [JoeHallCDT1]
… idea is to spell out a threat model
12:08:48 [wseltzer]
wseltzer has joined #isolation
12:08:52 [JoeHallCDT1]
… kinds of isolation that are relevant that we'd like to provide
12:08:54 [wseltzer]
rrsagent, pointer?
12:08:54 [RRSAgent]
See http://www.w3.org/2016/09/21-isolation-irc#T12-08-54
12:08:59 [JoeHallCDT1]
… not complete, but a good start to the convo
12:09:17 [wseltzer]
rrsagent, make logs public
12:09:25 [JoeHallCDT1]
… doc walks through threat model, policy options to allow web sites to implement isolation
12:09:36 [JoeHallCDT1]
… and spells out the attacks this can protect against
12:09:39 [JoeHallCDT1]
… a few ways this can go further
12:09:47 [JoeHallCDT1]
… valuable to have a communication barrier
12:09:58 [JoeHallCDT1]
… i.e., cutting off handle to windows
12:10:07 [JoeHallCDT1]
… also navigation into those windows blocked
12:10:15 [JoeHallCDT1]
… proposal last year Entry Point Regulation
12:10:21 [mkwst]
http://www.collinjackson.com/research/papers/appisolation.pdf
12:10:21 [JoeHallCDT1]
… based on:
12:10:25 [JoeHallCDT1]
… ^^^
12:10:39 [JoeHallCDT1]
… spells out a similar idea in terms of threat model and iso techniques
12:10:54 [JoeHallCDT1]
… inspired site isolation effort in Chrome
12:11:04 [JoeHallCDT1]
… allow sites to force separate processes
12:11:11 [JoeHallCDT1]
… massive arch effort in Chrome
12:11:17 [JoeHallCDT1]
… will be live in Chrome 55
12:11:33 [JoeHallCDT1]
… want to get to a place where every site i a different process
12:11:51 [JoeHallCDT1]
… need to figure out how sites can signal to a browser that they are importnat and should be a separate process
12:12:02 [JoeHallCDT1]
… i.e., don't expose me to universal CSRF
12:12:21 [JoeHallCDT1]
annevk: Moz mostly interested in running a document in it's own process
12:12:35 [JoeHallCDT1]
… there is a sig. number of 32-bit computers out there
12:12:50 [JoeHallCDT1]
… allocating large buffers can run into address exhaustion problem
12:13:05 [JoeHallCDT1]
… ran into it with Unity (?) who wants to get more games on the web
12:13:14 [JoeHallCDT1]
… they don't want double-keying
12:13:24 [JoeHallCDT1]
… but separate processes
12:13:36 [JoeHallCDT1]
… add some flag, [?]
12:13:45 [JoeHallCDT1]
mkwest: talk about containers project
12:13:57 [JoeHallCDT1]
annevk: containers is browser-in-a-browser idea
12:14:02 [JoeHallCDT1]
… paper just linked to
12:14:18 [Tomoyuki]
Tomoyuki has joined #isolation
12:14:20 [JoeHallCDT1]
… open a new container tag, won't be logged into FB anymore, for example
12:14:35 [JoeHallCDT1]
… everything has a container key (an extra key) added
12:14:42 [JoeHallCDT1]
… separate connection pool, etc.
12:14:46 [JoeHallCDT1]
mkwest: user-facing feature
12:15:06 [igarashi]
igarashi has joined #isolation
12:15:12 [JoeHallCDT1]
… part of inspiration here was to take the user-facing feature and make it a dev feature
12:15:19 [JoeHallCDT1]
… something here would be pretty valuable
12:15:28 [mkwst]
https://mikewest.github.io/origin-policy/
12:15:30 [dbaron]
dbaron has joined #isolation
12:15:33 [JoeHallCDT1]
… may tie this to another proposal origin policy
12:15:33 [jungkees]
jungkees has joined #isolation
12:15:42 [JoeHallCDT1]
???: DPUB...
12:15:58 [JoeHallCDT1]
… we don't want one book/document to influence another book/doc
12:16:05 [JoeHallCDT1]
… don't want sharing of local storage
12:16:18 [JoeHallCDT1]
mkwest: that's an interesting use-case
12:16:24 [JoeHallCDT1]
… probably better served by sub-origin
12:16:39 [wseltzer]
s/???/Leonardo
12:16:40 [JoeHallCDT1]
… multiple books on a single origin… book1.books.com book2.books.com
12:16:40 [anssik]
https://w3c.github.io/webappsec-suborigins/
12:16:42 [Tomoyuki]
rrsagent, make minutes
12:16:42 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html Tomoyuki
12:17:03 [JoeHallCDT1]
Leonardo: don't understand the diff between iso and sub-origins
12:17:11 [JoeHallCDT1]
mkwest: iso proposes to isolate an origin entirely
12:17:15 [JoeHallCDT1]
… we have SOP
12:17:32 [JoeHallCDT1]
… evil.com can't get example.com's storage, but can open, post messages, etc.
12:18:07 [JoeHallCDT1]
dbaron: to summarize: this is about making the restritions of SOP stronger
12:18:17 [JoeHallCDT1]
… suborigins is about [?]
12:19:01 [JoeHallCDT1]
mkwest: my goal is that we want to make sure folks don't have to build Chrome apps
12:19:16 [JoeHallCDT1]
… what do folks want to do?
12:19:32 [JoeHallCDT1]
mikeo'neil: what about the origin policy?
12:19:50 [JoeHallCDT1]
mkwest: idea about origin policy is to set properties for an origin instead of a resource
12:20:03 [JoeHallCDT1]
… can set a CSP for a document, but doesn't have any impact on the origin itself
12:20:16 [JoeHallCDT1]
… other headers, HSTS, have origin-wide impact delivered by a resource
12:20:26 [wseltzer]
mkwst: think of a manifest for an origin
12:20:32 [JoeHallCDT1]
… origin policy defines a manifest for an origin
12:20:44 [JoeHallCDT1]
… and a set of headers pinned to the origin
12:20:50 [JoeHallCDT1]
… lives in a WK location
12:21:12 [JoeHallCDT1]
… e.g., go to example.com… here's the document, go get this manifest file (synchronous request)
12:21:21 [JoeHallCDT1]
… think this should be good with h2 and PUSH
12:21:30 [JoeHallCDT1]
… make rq, parse manifest
12:22:27 [dbaron]
s/suborigins is about [?]/suborigins is about dividing the origins more finely/
12:23:20 [wseltzer]
https://mikewest.github.io/origin-policy/
12:24:02 [wseltzer]
mkwst: this is origin-based, not resource-specific
12:24:45 [wseltzer]
... should probably update the navigation proposed
12:25:11 [wseltzer]
@@: synchronous? like XHR?
12:25:17 [wseltzer]
mkwst: async, but blocks navigation
12:25:30 [wseltzer]
... navigation does not complete until you get a response
12:26:00 [JoeHallCDT1]
s/@@/Dom/
12:26:22 [wseltzer]
... the resource you're requesting has response headers that assert sthg about manifest
12:26:35 [wseltzer]
... that tells browser to get manifest (from cache, from push, from server)
12:26:49 [wseltzer]
... apply it to response befor you return from navigation/fetch
12:27:00 [wseltzer]
... I think it would be ok to apply to subresources, but room to argue
12:27:09 [wseltzer]
Dom: that's the kind of reassurance was looking for
12:27:48 [wseltzer]
@@: I have a page iwth a bunch of imges. One gets the header, does it block the other images?
12:27:58 [wseltzer]
... I think that will cause interop problems
12:28:10 [JoeHallCDT1]
s/@@/bz/
12:28:11 [wseltzer]
mkwst: goal, that this is something origin asserts when you nav to the homepage
12:28:37 [wseltzer]
... compare HSTS
12:28:54 [wseltzer]
bz: failure modes if you don't apply STS might be worse
12:29:00 [wseltzer]
mkwst: open to discussion
12:29:09 [wseltzer]
... something in the response causes policy to be applied
12:29:15 [wseltzer]
.. might be ext resource
12:29:20 [aliams]
aliams has joined #isolation
12:29:26 [wseltzer]
leonardo: suborigins?
12:29:32 [aliams]
present+ Ali_Alabbas
12:29:33 [wseltzer]
mkwst: yet to be determined
12:30:41 [wseltzer]
... Subdomains are separate origins.
12:30:59 [wseltzer]
annevk: when are you shipping this?
12:31:09 [wseltzer]
mkwst: it's lots of work. I hope Moz can get there quickly from containers
12:31:23 [wseltzer]
... not shipping tomorrow
12:31:43 [wseltzer]
AdrianHB: Can a server ask a browser if it supports?
12:32:01 [wseltzer]
... e.g. very important bank wants to know or tell you to dl the app
12:32:12 [wseltzer]
mkwst: not yet. possibly header
12:32:53 [wseltzer]
mkwst: I think it's the case htat there are browsers that can't do process separatation; and chrome isn't going to guarantee process separation
12:34:00 [wseltzer]
mkwst: defense in depth
12:34:11 [wseltzer]
... this doesn't substitute for CSRF protection
12:34:52 [wseltzer]
... EPR didn't go far because people didn't like its relation to linkability on the web
12:35:11 [wseltzer]
... hope this proposal has more support because server rather than UA-forcing
12:36:40 [wseltzer]
... possibilities, make this a new element in foreign fetch
12:36:51 [wseltzer]
... trying to respond to needs and keep webby properties
12:37:17 [wseltzer]
bz: how do you provide protections in such a way that they're useful if not everyone is on a freshly minted browser
12:37:43 [wseltzer]
mkwst: couch it in properties we already have, e.g. x-frame-options, but can't block headers
12:38:01 [wseltzer]
... maybe isolation proposal just becomes a collection of small things
12:38:14 [wseltzer]
bz: assuming you don't want to mint a new protocol
12:38:35 [wseltzer]
mkwst: that's worse, would completely break compatibility
12:38:56 [wseltzer]
@@: restrictions on navigations? post different from get?
12:39:10 [wseltzer]
mkwst: they're both dangerous. servers clearly don't consider get idempotent
12:39:50 [wseltzer]
... if we leave it up to the server, via preflights or foreign fetch
12:40:08 [wseltzer]
... or limited declarative policy, but wouldn't treat get/post differently
12:40:18 [wseltzer]
annevk: even post needs to be implemented retry-safe
12:40:47 [wseltzer]
bz: can't the server always return an error page?
12:40:56 [wseltzer]
... what do they want to know that they don't know now to make that decision?
12:41:12 [wseltzer]
mkwst: origin headers not sent, form posts in firefox, e.g.
12:41:29 [wseltzer]
annevk: we basically need a new origin header
12:41:41 [wseltzer]
... because the current one is mostly used for CORS
12:42:06 [wseltzer]
mkwst: cases where origin info is missing
12:42:18 [wseltzer]
... foreign fetch might give what they need
12:42:36 [wseltzer]
annevk: foreign fetch isn't quite settled yet
12:42:45 [wseltzer]
... Apple has different cookie storage policy
12:43:14 [wseltzer]
mkwst: hard to know what it means for suborigins and cookies
12:43:24 [wseltzer]
... one idea: subkey cookies
12:43:44 [wseltzer]
... what does that do to OAUTH flows
12:44:07 [wseltzer]
... killing auth makes it difficult for google to use
12:44:49 [wseltzer]
@@: app manifest
12:45:01 [wseltzer]
mkwst: might well be possible to merge them
12:45:21 [wseltzer]
... a few design differences
12:45:29 [wseltzer]
bz: fail open, closed, or up to the server
12:45:38 [wseltzer]
... foreign fetch fails open
12:45:45 [wseltzer]
... origin header, leaves to server
12:45:52 [wseltzer]
... which do we want here?
12:46:47 [wseltzer]
mkwst: several new features, we've said are optional on the client
12:47:07 [wseltzer]
AdrianHB: If I can ask you to spawn new processes, that's an attack vector
12:47:25 [wseltzer]
annevk: at what level do you need to know it doesn't work
12:48:17 [wseltzer]
mkwst: possible where in the process that service worker comes in
12:50:11 [wseltzer]
mkwst: you don't necessarily know at request time whether you have a process free
12:50:52 [wseltzer]
... private repo, I'll probably move it to WICG
12:50:57 [wseltzer]
... discuss in webappsec
12:51:07 [wseltzer]
... issues in the github repo
12:51:12 [wseltzer]
rrsagent, make minutes
12:51:12 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html wseltzer
12:51:19 [JoeHallCDT]
ty wseltzer!
12:51:37 [JoeHallCDT]
JoeHallCDT has left #isolation
12:51:44 [bz]
bz has left #isolation
12:54:42 [smaug]
smaug has joined #isolation
12:58:07 [Tomoyuki]
Tomoyuki has joined #isolation
13:01:41 [leonardr]
leonardr has joined #isolation
13:09:47 [Tomoyuki]
Tomoyuki has left #isolation
13:16:43 [bhill2]
bhill2 has joined #isolation
14:34:41 [masato]
masato has joined #isolation
14:35:31 [smaug]
smaug has joined #isolation
14:39:12 [plinss]
plinss has left #isolation
14:39:18 [plinss]
plinss has joined #isolation
14:41:05 [Zakim]
Zakim has left #isolation
14:45:34 [plinss]
plinss has left #isolation
14:47:18 [leonardr]
leonardr has joined #isolation
14:47:43 [leonardr]
leonardr has joined #isolation
15:26:23 [bhill2]
bhill2 has joined #isolation
15:32:19 [francois]
francois has left #isolation
16:56:54 [bhill2]
bhill2 has joined #isolation
17:07:21 [leonardr]
leonardr has joined #isolation
17:38:22 [smaug]
smaug has joined #isolation
18:01:52 [smaug]
smaug has joined #isolation
20:01:04 [bhill2]
bhill2 has joined #isolation
21:43:09 [bhill2_]
bhill2_ has joined #isolation
22:01:17 [bhill2]
bhill2 has joined #isolation
22:16:39 [smaug]
smaug has joined #isolation
22:19:53 [bhill2_]
bhill2_ has joined #isolation
22:21:46 [bhill2]
bhill2 has joined #isolation
22:22:24 [bhill2]
bhill2 has joined #isolation
22:22:48 [smaug]
smaug has joined #isolation
22:23:22 [bhill2_]
bhill2_ has joined #isolation