[spec] During addModule(), switch to allow navigator but disallow navigator.locks
#227
Conversation
…navigator.locks` Currently, `navigator.locks` is the only available attribute on `navigator` (i.e., a SharedStorageWorkletNavigator), and we want to prevent Web Locks functionality during addModule(). This change avoids unintentionally breaking existing code that might legitimately read the navigator object (e.g., expects no Exception thrown) during module loading for purposes unrelated to Web Locks.
…throw on `navigator.locks` Currently, `navigator.locks` is the only available attribute on `navigator` (i.e., a SharedStorageWorkletNavigator), and we want to prevent Web Locks functionality during addModule(), because lock acquisition results (success, timing) could reveal data from other same-origin worklets, which could enable cross-site information leak via addModule() timing. This change avoids unintentionally breaking existing code that might legitimately read the navigator object (and expect no Exceptions thrown) during module loading for purposes unrelated to Web Locks. PR: WICG/shared-storage#227 Bug: 396148598 Change-Id: I67b217238912710ca89de319c6b7e1d9d2d1cbcf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6256882 Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/heads/main@{#1419694}
|
@wanderview PTAL. Thanks! (Note that the Web Lock owner approved the behavior change (code)). |
…igator` but throw on `navigator.locks` Currently, `navigator.locks` is the only available attribute on `navigator` (i.e., a SharedStorageWorkletNavigator), and we want to prevent Web Locks functionality during addModule(), because lock acquisition results (success, timing) could reveal data from other same-origin worklets, which could enable cross-site information leak via addModule() timing. This change avoids unintentionally breaking existing code that might legitimately read the navigator object (and expect no Exceptions thrown) during module loading for purposes unrelated to Web Locks. PR: WICG/shared-storage#227 (cherry picked from commit d5c3918) Bug: 396148598 Fixed: 396648513 Change-Id: I67b217238912710ca89de319c6b7e1d9d2d1cbcf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6256882 Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Yao Xiao <yaoxia@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1419694} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6269812 Auto-Submit: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/branch-heads/6998@{#913} Cr-Branched-From: de9c6fa-refs/heads/main@{#1415337}
There was a problem hiding this comment.
The changes look reasonable for what they do, but I have a questions/comment.
This "filter out things we don't want" approach tends to create a fragile system because new items can be added to navigator later that you have not considered yet. Therefore a new storage-like thing could be added and create a security vulnerability.
As an alternative, have you considered listing exactly what attributes on navigator you believe are safe instead?
Thanks for the review @wanderview The Regarding "listing exactly what attributes on navigator you believe are safe instead" -- I'm unsure of a normative way to do this within the specification. I imagine we still need to do some checks within the getter methods? And in that case, if we miss a check in any getter, we still introduce the same vulnerability. |
|
Hmm, I see now I misunderstood the goal. Sorry for my confusion. Have you considered what this would do to feature detection code that might be running? What if its trying to feature detect the existence of navigator.lock during the initial evaluation of the script. Would this break existing scripts in the wild? It feels like it would be better to make lock manager methods reject immediately if a lock is created or accessed in addModule instead. WDYT? |
@wanderview You're right that feature detection could break if errors aren't properly handled or if incorrect assumptions are made about behavior. That's the main motivation behind this change -- moving the throwing logic down a level. However, throwing at the individual method level would make it harder to audit new usage and increase maintenance costs (e.g., the getter methods reside in the shard storage specification, while individual methods are spread across their own specifications). |
|
Ok, if you have considered the tradeoffs then I'm willing to approve. |
SHA: 48acd25 Reason: push, by xyaoinum Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Currently,
navigator.locksis the only available attribute onnavigator(i.e., a SharedStorageWorkletNavigator), and we want to prevent Web Locks functionality during addModule().This change avoids unintentionally breaking existing code that might legitimately read the navigator object (e.g., expects no Exception thrown) during module loading for purposes unrelated to Web Locks.
Preview | Diff