This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25734 - Treat filesystem: and other (future) local-data-schemes as running script
Summary: Treat filesystem: and other (future) local-data-schemes as running script
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-15 21:16 UTC by Jonas Sicking (Not reading bugmail)
Modified: 2014-08-05 09:49 UTC (History)
4 users (show)

See Also:


Attachments

Description Jonas Sicking (Not reading bugmail) 2014-05-15 21:16:45 UTC
A page inside an <iframe sandbox="allow-same-origin"> should not be allowed to use filesystem: URLs.

Allowing reading from filesystem: would effectively allow the page to probe for data in the origin's filesystem storage and then send that information back to the server.

For example there have been CSS proposals for things like:

background: image(url("..."), url("..."));

If you point the first URL to a filesystem URL and the second url back to the home server, that would effectively let the home server know if a particular file exists in the user's filesystem API.

This will apply to any other data schemes that we create for loading local data, such as if we ever introduce a indexeddb:// url scheme.

So basically, from a sandboxing perspective, we should treat "load from local-data-url-schemes" as "run scripts".
Comment 1 Jonas Sicking (Not reading bugmail) 2014-05-15 21:17:38 UTC
Sounded like Adam Barth was ok with this suggestion, though I'll let him speak for himself.
Comment 2 Ian 'Hixie' Hickson 2014-05-15 21:54:51 UTC
Anne, this is mostly going to be for you. Do you want me to provide a sandbox flag for this that you can hook into?
Comment 3 Anne 2014-05-16 11:23:14 UTC
At what point does this sandboxing apply? Would these URLs just fail to parse or should fetching fail?
Comment 4 Ian 'Hixie' Hickson 2014-05-16 17:13:40 UTC
I think fetching. Failing to parse would be very odd... I mean, it would make the utility of the parsing API dependent on sandboxing, which is weird.
Comment 5 Anne 2014-05-18 12:29:02 UTC
Is sandboxing part of CSP yet? Because then it could become part of the CSP check Fetch does.
Comment 6 Ian 'Hixie' Hickson 2014-05-19 20:00:42 UTC
Sandboxing and CSP interact cloely, but they're not part of each other per se.
Comment 7 Anne 2014-05-20 08:50:35 UTC
K, assuming they are distinct, how should this work? http://fetch.spec.whatwg.org/#concept-fetch has a hook for HSTS and soon for CSP (open issue still). Should I add another hook for HTML sandboxing? What do you need passed?
Comment 8 Ian 'Hixie' Hickson 2014-05-20 17:08:26 UTC
You would just add this to the algorithm: "...if the Document's active sandboxing flag set does not have the sandboxed something-or-other flag set, then..."

Then tell me what "something-or-other" should be, and I'll add an appropriate flag. For example, "sandboxed origin-privileged schemes flag" or whatever.

See pointer lock for an example of a spec integrating with this.
Comment 9 Anne 2014-05-21 08:45:32 UTC
Fetch currently only has a handle back to a global (request's client). But I guess I can get to a Document from there.

"sandboxed local-data scheme flag"?
Comment 10 Ian 'Hixie' Hickson 2014-05-21 20:07:08 UTC
data: is "local data" too. As is cached HTTP.
Comment 11 Anne 2014-05-22 07:40:04 UTC
Actually, isn't this similar to "sandboxed automatic features browsing context flag" or "sandboxed scripts browsing context flag" combined with an origin check? Is there a reason to have a distinct flag for those two?

"sandboxed storage area URLs flag"
Comment 12 Ian 'Hixie' Hickson 2014-05-22 18:18:41 UTC
"sandboxed storage area URLs flag" works for me.

Having more flags is essentially free from the spec point of view and gives us more flexibility later. I expect implementations to actually just have one bit for all the flags that can't be individually controlled.
Comment 13 Anne 2014-05-23 06:56:45 UTC
Okay, sounds good. I'll add placeholder sections to Fetch for these new schemes and implement the desired sandboxing.

Where are these new schemes being defined by the way? I've the feeling I might want to give some input to make sure they work nicely with the revamped URL parser.
Comment 14 contributor 2014-08-04 23:38:45 UTC
Checked in as WHATWG revision r8706.
Check-in comment: Add a sandboxing flag for use by fetch
http://html5.org/tools/web-apps-tracker?from=8705&to=8706