Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Send "null" Origin headers on cross-origin requests from an RFC7686 address #1350

Open
fmarier opened this issue Nov 9, 2021 · 7 comments · May be fixed by #1351
Open

Send "null" Origin headers on cross-origin requests from an RFC7686 address #1350

fmarier opened this issue Nov 9, 2021 · 7 comments · May be fixed by #1351

Comments

@fmarier
Copy link

fmarier commented Nov 9, 2021

The special-use .onion domain name, defined in RFC7686, receives special treatment in the Tor browser and in Firefox: https://searchfox.org/mozilla-central/rev/6c8d325e61b0b445ed2e04899da38c3a4c266cba/netwerk/protocol/http/nsCORSListenerProxy.cpp#979-984

It seems like this behavior should be standardized since any browser could be setup to proxy traffic over the Tor SOCKS5 proxy.

I also filed an issue against the Referrer Policy spec to address the Referrer header.

fmarier added a commit to fmarier/fetch that referenced this issue Nov 9, 2021
@fmarier fmarier linked a pull request Nov 9, 2021 that will close this issue
3 tasks
@annevk
Copy link
Member

annevk commented Nov 9, 2021

Thanks for raising this. There's also #248 which we could address now I think (although I'm not familiar with the details).

fmarier added a commit to fmarier/fetch that referenced this issue Nov 10, 2021
fmarier added a commit to fmarier/fetch that referenced this issue Nov 10, 2021
@fmarier
Copy link
Author

fmarier commented Nov 10, 2021

There's also #248 which we could address now I think (although I'm not familiar with the details).

Yeah, I'm not too sure exactly where that should be addressed in Fetch. I'm also not familiar with how it's implemented in Firefox.

@annevk
Copy link
Member

annevk commented Nov 10, 2021

cc @artines1 @ddragana

@mikewest
Copy link
Member

If I understand the proposal correctly, this would have the effect of disabling meaningful access controls for resources that .onion pages wish to access (since any cross-origin response to a CORS-mode request would have to send headers that allowed any opaque origin to access the resource). That seems like a somewhat counterproductive restriction.

A weaker version of this proposal would apply the restriction to no-cors requests, but not to CORS requests (similar conceptually to the credentialless COEP mode). Is that direction worth exploring?

@fmarier
Copy link
Author

fmarier commented Nov 10, 2021

If I understand the proposal correctly, this would have the effect of disabling meaningful access controls for resources that .onion pages wish to access.

That's a good point. It seems indeed like an unfortunate side-effect of the current implementation in Tor Browser.

My understanding of what Tor Browser is trying to protect here is an Onion service accidentally leaking its identity via linking to or embedding cross-origin resources. If we limited this new restriction to no-CORS requests, then the only case of accidental leakage I can think of would be Onion services using an anonymous CORS request in order to use subresource integrity with https://code.jquery.com/jquery-1.11.1.js for example. I think we could make a convincing case that the more typical CORS requests (e.g. those with credentials) are intentional and coordinated with the third-party (i.e. no accidental leakage).

fmarier added a commit to fmarier/fetch that referenced this issue Nov 10, 2021
@fmarier
Copy link
Author

fmarier commented Nov 18, 2021

I'm happy to file implementation bugs and work on the tests, but before that, I'd like to know whether that's a change that Chrome and Firefox (others?) would be willing to make. (I would also be happy to work on upstreaming the Brave changes to Chromium.)

Is @mikewest 's suggestion (only touching no-cors) what folks think should be done? Is this something I should bring up at the next WebAppSec teleconf?

@annevk
Copy link
Member

annevk commented Nov 23, 2021

Some developers do seem to expect that CORS would include .onion domain details: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32865 (thanks @valenting for finding that!). But, having discussed this a bit with @tomrittervg it's not clear to me that's the way to go. Leaking .onion domains to other sites has these risks:

  1. It reveals the .onion domain exists. .onion domains are a lot like capability URLs and some are definitely meant to stay secret as I understand it.
  2. It reveals the user uses .onion domains. (I'm not sure this is a problem on its own, especially with newish state partitioning behavior.)

Coupled with the fact that depending on CORS is quite easy (e.g., using a cross-site library for a font), I don't think we want it to leak by default. Having said that, I could imagine supporting some kind of policy for this for .onion domains that self-declare in some manner that they are not secret. But it seems that should be a follow-up, if anything.

I'd additionally like to solicit feedback from those more closely involved with .onion. @sysrqb @alecmuffett perhaps you could comment as to whether this seems reasonable?

(Aside: I think it's also a bug in Tor Browser and possibly Firefox therefore that a `null` origin and credentials does not work. At least per https://fetch.spec.whatwg.org/#cors-check that is fine.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants