Fenced frames: allow CSP to check ancestors for frame-ancestors. #46290
+50
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5539622
branch
5 times, most recently
from
8afd6be
to
a8ac03d
Compare
To prevent information from flowing from an embedder into a fenced frame, we have previously disabled checking ancestors of fenced frame roots for the CSP frame-ancestors policy. There is now a need to allow the frame-ancestors policy to look beyond the fenced frame root so that embedders can control what is embedded in its page. `window.fence.notifyEvent()` can be used to send information from a fenced frame with unpartitioned data access to its embedder. Since 1 bit is sent every click, a malicious embedder can exploit this and trick the user into clicking a fenced frame in a certain way that leaks that unpartitioned data. The fenced frame can protect against this with the `frame-ancestors` CSP, only allowing itself to be embedded in certain origins. For this to work, the fenced frame needs to look beyond the fenced frame boundary when calculating if it can load. Since this results in a data inflow channel, this will only be allowed for fenced frames created from the web platform or from Shared Storage, as those are the use cases where data can flow into the fenced frame. Protected Audience-created fenced frames will not have this capability, and will continue to not check beyond the fenced frame root when calculating frame-ancestors. This CL adds a new field to the fenced frame config/properties that notes what API created the fenced frame. This is used in the |AncestorThrottle| class to determine if/how to get the frame's direct ancestor. Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2 Bug: 341356673 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539622 Reviewed-by: Garrett Tanzer <[email protected]> Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Liam Brady <[email protected]> Cr-Commit-Position: refs/heads/main@{#1305146}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5539622
branch
from
a8ac03d
to
7bf8867
Compare
wpt-pr-bot
approved these changes
May 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To prevent information from flowing from an embedder into a fenced
frame, we have previously disabled checking ancestors of fenced frame
roots for the CSP frame-ancestors policy. There is now a need to allow
the frame-ancestors policy to look beyond the fenced frame root so that
embedders can control what is embedded in its page.
window.fence.notifyEvent()can be used to send information from afenced frame with unpartitioned data access to its embedder. Since 1 bit
is sent every click, a malicious embedder can exploit this and trick the
user into clicking a fenced frame in a certain way that leaks that
unpartitioned data.
The fenced frame can protect against this with the
frame-ancestorsCSP, only allowing itself to be embedded in certain origins. For this to
work, the fenced frame needs to look beyond the fenced frame boundary
when calculating if it can load. Since this results in a data inflow
channel, this will only be allowed for fenced frames created from the
web platform or from Shared Storage, as those are the use cases where
data can flow into the fenced frame. Protected Audience-created fenced
frames will not have this capability, and will continue to not check
beyond the fenced frame root when calculating frame-ancestors.
This CL adds a new field to the fenced frame config/properties that
notes what API created the fenced frame. This is used in the
|AncestorThrottle| class to determine if/how to get the frame's direct
ancestor.
Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2
Bug: 341356673
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539622
Reviewed-by: Garrett Tanzer <[email protected]>
Reviewed-by: Alex Moshchuk <[email protected]>
Commit-Queue: Liam Brady <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1305146}