Same-origin check, redirects, and navigations

[annevk]

We should make sure the correct thing is done here, to avoid confused deputy attacks.

(This came up during TPAC 2023 and nobody present was immediately clear on whether this was handled correctly.)

[pmeenan]

From a CORS perspective on navigations, the document is assumed to be non-opaque (at least we were assuming that, @yoavweiss or @horo-t correct me if I'm wrong) so the main thing to be sure of is for any given navigation HTTP request along a redirect chain, the dictionary (if any) that is used is from the same origin as that specific request.

It's important that the dictionary selection not follow cross-origin redirects from the fetch level and that the dictionary selection be decided for each lower-level HTTP request separately (same goes for applying the path-matching). It'll be important to get this language correct on the fetch integration.

CORS-tainting isn't a concern for the usability of a dictionary for a navigation as far as I can tell. Tainting is applied to subresource requests though.

I may be misunderstanding the concern.

[annevk]

CORS isn't involved in navigations (perhaps a tiny bit with Local Network Access at some point). Navigations are generally the same as same-origin responses, but they can be the result of a cross-origin redirect still. Whether it's okay in that case to treat it as a dictionary or reveal there is a dictionary on file is not fully clear to me. It seems safer if it doesn't work.

[horo-t]

Here is the summary of current Chrome's implementation.

Can use a registered dictionary?

• same-origin mode request:
  • Same origin request can use the dictionary.
  • Cross origin request is blocked.
  • Same origin request redirected to cross origin is blocked.
• no-cors mode request:
  • Same origin request can use the dictionary.
  • Cross origin request can't use the dictionary.
  • Same origin request redirected to cross origin can't use the dictionary.
  • Same origin request redirected to cross origin and redirected back to the original same origin can't use the dictionary.
    • Chrome has introduced a new load flag DISABLE_SHARED_DICTIONARY_AFTER_CROSS_ORIGIN_REDIRECT.
• cors mode request:
  • Same origin request can use the dictionary.
  • Cross origin request can use the dictionary. But it requires correct Access-Control-Allow-Origin response header.
• navigation mode request:
  • Can use the dictionary.
  • (Maybe we should disallow uing dictionary after cross origin redirect?)

Can the response be used as a compression dictionary?

• same-origin mode request:
  • The response of same origin request can be used as a dictionary.
  • Cross origin request is blocked.
  • Same origin request redirected to cross origin is blocked.
• no-cors mode request:
  • The response of same origin request can be used as a dictionary.
  • The response of cross origin request can't be used as a dictionary.
  • The response of same origin request redirected to cross origin can't be used as a dictionary.
  • The response of same origin request redirected to cross origin and redirected back to the original same origin can't be used as a dictionary.
    • Chrome is checking response tainting == basic here.
• cors mode request:
  • The response of same origin request can be used as a dictionary.
  • The response of cross origin request can be used as a dictionary. But it requires correct Access-Control-Allow-Origin response header.
• navigation mode request:
  • The response of navigation mode request can't be used as a dictionary.

[pmeenan]

For the common case of a click -> ad tracker -> document navigation flow it would be very useful if the document fetch could use a dictionary that was previously set. I'll see if anyone on our privacy and security teams can come up with why that might be an issue but it's not fundamentally different than how cookies behave.

The main thing that comes to mind that needs to be handled correctly is for the document context that the dictionary is pulled from needs to be corrected at each step of the redirect but it's not really any different than the cookie case their either (at least with partitioned cookie stores).

[horo-t]

Ah, yes. I agree that supporting redirected navigations is important.

For partitioning, Chrome is re-calculating the isolation key when handling the redirected navigation request. So the dictionary is correctly picked up from the correct partition.

[yoavweiss]

Was this addressed?