[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-site loads of signed packages should be done stateless and with no personalization #423

Open
johnwilander opened this issue Apr 23, 2019 · 2 comments
Open

Cross-site loads of signed packages should be done stateless and with no personalization #423

johnwilander opened this issue Apr 23, 2019 · 2 comments
Labels
SXG Issue related to Signed HTTP Exchanges

Comments

@johnwilander
Copy link

As brought up by @cramforce in #422 (comment), we should require cross-site loads of signed packages to be stateless. Specifically:

  • The request chain must be credential-less. Maybe we can leverage some Fetch policy here.
  • It must be an HTTP GET request.
  • The request URL must not have a query string or fragment.
  • The path of the package request must be the same as the path on the target domain.

The above requirements are to ensure that cross-site tracking or personalization information is not transferred in the request for the package.
jyasskin added a commit to jyasskin/webpackage that referenced this issue Apr 24, 2019
@jyasskin
Add the mitigation from WICG#423.
2ce2603
@dfabulich
Copy link

A common tracking technique is to put personalized information in the ETag, e.g. ETag: W/your-login-id-plus-content-hash

Thus, to be truly stateless, the request would also have to prevent conditional GET requests (If-None-Match, If-Modified-Since)

@davidben
Copy link
Collaborator

From the Chrome anti-tracking team, we agree that SXGs should require mitigations for cross-site information flow. We think the suggestions here should be adopted, though of course details like how to trigger such a credential-less navigation still need to be worked out.

A minor quibble/note, the last two points as written require a distinct distributor origin per publisher origin, which seems off. (It even risks the SXG prefetch leaking the distributor origin via DNS and SNI.) I would suggest rephrasing it as: the path + query string of the navigation needs to be some specific deterministic function of the SXG target URL. For instance, https://distributor.example/.well-known/sxg/[some encoding or cryptographic hash of target URL].

jyasskin added a commit that referenced this issue Nov 4, 2019
@jyasskin
Improve the signed-exchanges privacy considerations. (#517)
6cc3237 
I also added a description of the anti-tracking concern in #422 and #423.
@daisuke-e daisuke-e added the SXG Issue related to Signed HTTP Exchanges label Nov 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SXG Issue related to Signed HTTP Exchanges
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dfabulich @davidben @johnwilander @daisuke-e