Comments (12)
@asutherland Same-origin is defnitely safe. I'm not sure how much same-origin MessagePort usage there is since same-origin has more direct methods available.
I wonder if we could also fire it
- when the port is explicitly closed
- some kind of opt-in
- when the receiver has no handler
So then at least we would cover
- you've written a receiver library that does the right thing by opting in
- you've sent your port but the window has navigated to something unexpected
"no handler" also potentially leaks some info. Unclear to me if that would also be considered a problem.
from html.
What's Chrome's solution for it all being observable through Web Locks as well? At least when the close
event was added the premise was that it could be emulated. Is that not the case?
from html.
@annevk I'm not familiar with that. Since WebLocks are per-origin, I don't see how it leaks information cross-origin (which is Chrome Security's concern).
As for emulation, yes, I believe this demo demonstrates that this information is already pretty readily available. However, the concern was about explictly baking it in. I would argue that the difference is slight but then maybe that's why I'm not on the security team...
from html.
But that demo can be defeated by tying the lifetime of MessagePort
objects to the global, right? That's something we should probably do. I think the question is if there's a possibility of observing this absent that.
from html.
I'm not sure what you mean by defeated. Perhaps you're trying the demo in Safari which GCs aggressively. The demo does quite different things in different browsers.
- In Chrome, the outcome is that no GC occurs until the the other window is closed or navigates to a different URL.
- In Safari, the WeakRef become null almost immediately because www.example.com has no
message
listener, so the port is GCed quickly. So Safari already leaks that there is no listener (unclear if anyone is concerned by this). - In Firefox, the WeakRef never becomes null because FF intentionally never collects it to avoid leaking this info.
So in Safari, tying the port to the global would keep it alive, presumably until navigation but that is exactly Chrome Security's concern.
I don't think there's a great resolution to his that preserves the current spec, unless someone has a good argument why leaking this GC (which may or may not coincide with navigation) doesn't really matter.
from html.
I mean that we should align on the Gecko model.
from html.
It should be possible to provide a service over MessagePort
, across domains, with a decent chance of avoid leaks. So it should be possible opt-in to sending close on document destruction. I've seens suggestions that just using the port or adding a listener to it is enough of a signal or it come be more explicit like port.closeOnDestroy = true
.
from html.
@annevk To be clear, you are proposing that we spec that MessagePorts should be leaked and not GCed when they are cross-site? If we do that are OK with collecting them when they have had a listener added?
from html.
If by "leaked" you mean tied to the lifetime of the relevant global, sure. I don't really understand your second question as there's a grammar error. If you meant to write "are you OK" I don't understand why adding a listener would make them more collectable. It seems that would make them less collectable, but I'm probably missing something.
from html.
The intention is to find circumstances where the port can be disentangled without an explicit close. There have been a couple of suggestions
usage
- b.com sends a port to a.com
- a.com adds a listener to it or does
postMessage
- a.com's document is destroyed
- the port is disentangled and b.com can learn that a.com has been destroyed
opt-in
Add a boolean attribute like notifyOnClose
. If it's set to true, then the close event will fire. It's reset to false every time the port is transferred.
from html.
Looking at this again I wonder how Firefox defeats the attack. I was misunderstanding something initially. What does Firefox never collect? Maybe @asutherland can help out here.
I think an opt-in makes sense. I do wonder about the OP's suggestion of having different defaults for same and cross-origin. That is kinda counter to treating message passing as a capability-based mechanism as it's written to be in the specification. (With a notable exception for window.postMessage()
.)
from html.
Looking at this again I wonder how Firefox defeats the attack. I was misunderstanding something initially. What does Firefox never collect? Maybe @asutherland can help out here.
In Firefox, all shipped MessagePorts go through our IPC. When our IPC layer is processing the implicit close for the collected port:
- We decide to close the entangled port
- Which then results in us calling close on the parent IPC actor.
- But our Close method just dissociates the parent actor from our service but does not tear down the IPC parent actor, so the child actor never knows that it's not talking to anyone. We do have a method that would do that but we only call that in the nightmarish case where the port was further re-shipped but there are messages in-flight and state machines are catching up with that.
Honestly, it's not clear this behavior was entirely intentional (we will certainly spew NS_WARNINGs in the parent process when this case happens if the closed port sends us messages); the code has a bunch of technical debt and is due for a cleanup. But I think I might have avoided changing the behavior in a few bugs because it seemed like it might have been equally been intentional to avoid leaking GC, but it's hard to tell because our infrastructure makes it hard to find old discussion of things.
from html.
Related Issues (20)
- Spec allows multiple values for dropEffect in some current selection case which might cause different browsers to behave differently
- If a web author sets dropEffect to something that is not allowed according to spec, should UA respect their choice by updating dropEffect attribute?
- template.content has unusable value HOT 1
- Clean up HTML <-> DOM hooks HOT 2
- Consider improving interoperability of <iframe> throttling margins. HOT 10
- The dropEffect column in the Drag and Drop events summary table should clarify it represents default values.
- Drag and drop spec allows multiple values for dropEffect which might cause browsers to behave differently.
- How should UAs handle web authors setting dropEffect values?
- Proposal for event ordering when inserting replacement text such as text prediction, spell checker, etc
- It's unclear how shadows should be drawn across various compositing operators HOT 2
- Should custom validity error message treat \r as newline? HOT 3
- Upcoming WHATNOT meeting on 5/16/2024 HOT 5
- Date Picker popup doesn't propagate shadow DOM events into the light DOM HOT 1
- Clarify `detail` value of synthetic click event HOT 3
- Consider making "gamepadconnected" part of “activation triggering user event”? HOT 1
- Meeting 2 for joint OpenUI-WHATWG/HTML-CSSWG task force on styleable form controls HOT 2
- Upcoming WHATNOT meeting on 5/23/2024 HOT 5
- [Proposal]: Enable `HTMLElement` attributes to be toggled without JavaScript HOT 1
- Issue with Step 10 of inner navigate event firing algorithm HOT 2
- Provide native validation messages for native validity states on Form Associated Custom Elements
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from html.