Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fenced frames: allow CSP to check ancestors for frame-ancestors. #46290

Merged
merged 1 commit into from
May 23, 2024

Conversation

chromium-wpt-export-bot
Copy link
Collaborator

@chromium-wpt-export-bot chromium-wpt-export-bot commented May 15, 2024

To prevent information from flowing from an embedder into a fenced
frame, we have previously disabled checking ancestors of fenced frame
roots for the CSP frame-ancestors policy. There is now a need to allow
the frame-ancestors policy to look beyond the fenced frame root so that
embedders can control what is embedded in its page.

window.fence.notifyEvent() can be used to send information from a
fenced frame with unpartitioned data access to its embedder. Since 1 bit
is sent every click, a malicious embedder can exploit this and trick the
user into clicking a fenced frame in a certain way that leaks that
unpartitioned data.

The fenced frame can protect against this with the frame-ancestors
CSP, only allowing itself to be embedded in certain origins. For this to
work, the fenced frame needs to look beyond the fenced frame boundary
when calculating if it can load. Since this results in a data inflow
channel, this will only be allowed for fenced frames created from the
web platform or from Shared Storage, as those are the use cases where
data can flow into the fenced frame. Protected Audience-created fenced
frames will not have this capability, and will continue to not check
beyond the fenced frame root when calculating frame-ancestors.

This CL adds a new field to the fenced frame config/properties that
notes what API created the fenced frame. This is used in the
|AncestorThrottle| class to determine if/how to get the frame's direct
ancestor.

Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2
Bug: 341356673
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539622
Reviewed-by: Garrett Tanzer <[email protected]>
Reviewed-by: Alex Moshchuk <[email protected]>
Commit-Queue: Liam Brady <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1305146}

To prevent information from flowing from an embedder into a fenced
frame, we have previously disabled checking ancestors of fenced frame
roots for the CSP frame-ancestors policy. There is now a need to allow
the frame-ancestors policy to look beyond the fenced frame root so that
embedders can control what is embedded in its page.

`window.fence.notifyEvent()` can be used to send information from a
fenced frame with unpartitioned data access to its embedder. Since 1 bit
is sent every click, a malicious embedder can exploit this and trick the
user into clicking a fenced frame in a certain way that leaks that
unpartitioned data.

The fenced frame can protect against this with the `frame-ancestors`
CSP, only allowing itself to be embedded in certain origins. For this to
work, the fenced frame needs to look beyond the fenced frame boundary
when calculating if it can load. Since this results in a data inflow
channel, this will only be allowed for fenced frames created from the
web platform or from Shared Storage, as those are the use cases where
data can flow into the fenced frame. Protected Audience-created fenced
frames will not have this capability, and will continue to not check
beyond the fenced frame root when calculating frame-ancestors.

This CL adds a new field to the fenced frame config/properties that
notes what API created the fenced frame. This is used in the
|AncestorThrottle| class to determine if/how to get the frame's direct
ancestor.

Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2
Bug: 341356673
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539622
Reviewed-by: Garrett Tanzer <[email protected]>
Reviewed-by: Alex Moshchuk <[email protected]>
Commit-Queue: Liam Brady <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1305146}
Copy link
Collaborator

@wpt-pr-bot wpt-pr-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The review process for this patch is being conducted in the Chromium project.

@chromium-wpt-export-bot chromium-wpt-export-bot merged commit 800d9b4 into master May 23, 2024
18 checks passed
@chromium-wpt-export-bot chromium-wpt-export-bot deleted the chromium-export-cl-5539622 branch May 23, 2024 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants