Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate feature policy #177

Merged
merged 9 commits into from
Mar 2, 2018
Merged

Conversation

clelland
Copy link
Contributor

@clelland clelland commented Dec 15, 2017

This adds a policy-controlled feature, named 'sync-xhr', which can be
disabled in a document to turn off synchronous requests for that
document (and documents in all descendant frames). Calling send() on a
synchronous request in a document where sync-xhr is disabled will
result in a NetworkError being thrown.
@clelland
Copy link
Contributor Author

As written, this depends on whatwg/html#3287 so that 'allowed to use' can reference a policy-controlled feature, and not just an attribute name.

Copy link
Member

@tyoshino tyoshino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

xhr.bs Outdated

<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".

<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>.
Copy link
Member

@tyoshino tyoshino Dec 19, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<a> is omitted for "Synchronous XMLHttpRequest" intentionally? just checking.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, missed the markup there. Thanks.

xhr.bs Outdated
<a>responsible document</a> and it is <em>not</em>
<a>allowed to use</a> the <a>Synchronous XMLHttpRequest</a>
feature, then run <a>handle response end-of-body</a> for a <a>network
error</a> and return.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems nicer to throw during open(), no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be surprising to developers, I think -- there aren't currently any cases of a NetworkError being thrown during open(), since the fetch algorithm isn't called until send(). Since this policy can be imposed on pages which were written before this proposal, it seems that using an existing failure pattern is less likely to result in unforseen behaviour on the page.

I had originally proposed throwing an InvalidAccessError during open(), to align with the note at https://xhr.spec.whatwg.org/#sync-warning, but the rough consensus at TPAC (I wasn't actually present, this is second-hand) was around emulating a network-layer-error instead.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well yeah, I wouldn't want to throw a NetworkError there. I wonder what rationale was given in that discussion. Who would we ask?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that InvalidAccessError would also be consistent with step 10 of open() today.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll ask on #178, and see if we can find out who was there, and if this accurately reflects the consensus.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://chromium.googlesource.com/chromium/src/+/40126a62123c1e8704b2f92a6ef54eb3e6ce52db/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp#695 now throws InvalidAccessError in open(), which I think makes sense, has this been resolved but the comment thread just left open?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://chromium-review.googlesource.com/c/chromium/src/+/804057 changes it from InvalidAccessError to NetworkError, and causes it to occur on send(), like other network conditions would.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks!

xhr.bs Outdated
<h3 id=feature-policy>Feature Policy Integration</h3>

<p>This specification defines a policy-controlled feature named <dfn>Synchronous
XMLHttpRequest</dfn>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are all features supposed to follow this naming convention?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to decouple the name of the feature from the character string used to denote it in policies

The spec just says that there are policy-controlled features, and they have a feature name, which is defined in the ABNF as 1*( ALPHA / DIGIT / "-")

xhr.bs Outdated
<p>This specification defines a policy-controlled feature named <dfn>Synchronous
XMLHttpRequest</dfn>.

<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xref "feature name"

And make it "<code>sync-xhr</code>".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. (I've added explicit anchors for the unexported dfns until I fix up the FP spec to export those terms properly)

xhr.bs Outdated

<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".

<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xref "default allowlist" (elsewhere we use safelist for things like this, is this different enough to use a new name?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hadn't noticed 'safelist' being used in this context, and I'm not sure if 'safety' is the concept we're trying to convey in any case.

Originally the feature policy spec used 'whitelist', and early reviews suggested we switch to 'allowlist' to match some other specs (I don't recall which; perhaps Web Authentication?)

I'm sure this is open to change, but that should probably happen on the FP issues list :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WebAuthn doesn't seem to use it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

w3c/webauthn#327 -- apparently not anymore (I still don't remember if this was the spec that was brought up, could be a complete coincidence)

xhr.bs Outdated

<p>When disabled in a document, calling send() on an XMLHttpRequest object with
the synchronous flag set MUST cause a DOMException named
<code>NetworkError</code> to be thrown.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove this. We don't want duplicate requirements.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

* Fix references and markup
* Remove duplicated requirement text
@annevk
Copy link
Member

annevk commented Dec 19, 2017

In particular I was wondering if a feature is always named "Uppercase Feature" or "Uppercase feature" rather than just "uppercase feature" which would be "synchronous XMLHttpRequest" here. Introducing that as a "feature named X" and then saying X has a feature name is somewhat confusing by the way. Maybe it makes more sense to call one the feature name and the other the identifier.

@clelland
Copy link
Contributor Author

There isn't a standard for naming features -- I've generally used whatever seems to sound right in prose -- and this is really the first time that the name of a feature and it's "feature name" string have diverged, since neither seems appropriate in the other's place.

(And I agree that it is confusing to call the character string that goes into policies the "feature name". I've opened w3c/webappsec-permissions-policy#125 to address that. I'll submit PRs to all of the specs that have included that text once we have settled on a better term to use)

@domenic
Copy link
Member

domenic commented Jan 11, 2018

FWIW I would probably just remove the feature name concept entirely and only use the web-developer-facing string ("feature identifier") throughout all specs. Having two 1:1 things, one of which is never exposed to either browser developers or web developers, seems confusing.

@clelland
Copy link
Contributor Author

Agreed, and fixed with the latest commit.

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple nits left, mostly looking good now. Thanks.

xhr.bs Outdated
@@ -29,6 +29,9 @@ spec:dom; type:interface; text:Document
<pre class=anchors>
urlPrefix: https://w3c.github.io/DOM-Parsing/; spec: dom-parsing
type: dfn; text: fragment serializing algorithm; url: dfn-fragment-serializing-algorithm
urlPrefix: https://wicg.github.io/feature-policy/; spec: FEATURE-POLICY
type: dfn; text: policy-controlled feature; url: policy-controlled-feature
type: dfn; text: default allowlist; url: default-allowlist
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be properly exported by Feature Policy directly. This anchors block is only there for legacy.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They've been exported for a while -- or at least I thought they were :( Filed speced/bikeshed#1173 to get that indexed for use in bikeshed.

xhr.bs Outdated
<li>
<p>If <a>context object</a>'s <a>relevant settings object</a> has a
<a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the
<code><a>sync-xhr</a></code> feature, then run <a>handle response
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is meant to be a string I think it should be "<code><a>sync-xhr</a></code>" here and below. That's how you write down strings per Infra.

Also, no wrapping inside phrasing elements.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, also, since the <p> is the only child you need to do <li><p>....

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All fixed

xhr.bs Outdated

<p>This specification defines a <a>policy-controlled feature</a> identified by
the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is
<code>*</code>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More can be on one line here. Please use 100 columns for new/modified text.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

xhr.bs Outdated
<p>This specification defines a <a>policy-controlled feature</a> identified by
the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is
<code>*</code>.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You want an extra newline here for consistency.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And done.

xhr.bs Outdated
@@ -1021,6 +1025,12 @@ method must run these steps:
<p>Otherwise, if the <a>synchronous flag</a> is set, run these substeps:

<ol>
<li>
<p>If <a>context object</a>'s <a>relevant settings object</a> has a
<a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be "and that"/"which is"? To me it seems that "it" refers to a settings object here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed -- that was ambiguous, thanks.

* Clarify which object is tested for "allowed to use"
* Denote strings correctly
* Formatting
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

What remains is:

  • web-platform-tests
  • Implementation bugs

if I'm not missing anything.

@annevk
Copy link
Member

annevk commented Jan 30, 2018

You also might want to associate [email protected] with your GitHub account and add your name to the Acknowledgments section of the standard.

@clelland
Copy link
Contributor Author

clelland commented Feb 1, 2018

@annevk, there are web-platform-tests for this already committed; you can see the results at https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html (It fails in Chrome 63, but should pass in 65) Are there additional tests you'd like to see?

I'll see about filing bugs in other places where I can do that.

@annevk
Copy link
Member

annevk commented Feb 1, 2018

That's good enough I think. Other interesting tests might be header-based / same-origin restrictions.

@annevk
Copy link
Member

annevk commented Feb 1, 2018

I noticed one more nit. We use sentence casing for headers. I'm not entirely sure if that means "Feature Policy integration" or "Feature policy integration" though. I'm guessing the former makes the most sense.

@annevk annevk merged commit 67a423f into whatwg:master Mar 2, 2018
@domenic
Copy link
Member

domenic commented Mar 2, 2018

Doesn't this depend on whatwg/html#3287 which is still not merged? :-/

@annevk
Copy link
Member

annevk commented Mar 2, 2018

@domenic see the commit message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

5 participants