[wpt-sync] Sync PR 40209 - [Topics] pad topics header to make it harder to expose information via its length
Categories
(Testing :: web-platform-tests, task, P4)
Tracking
(firefox116 fixed)
| Tracking | Status | |
|---|---|---|
| firefox116 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 40209 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/40209
Details from upstream follow.
Yao Xiao <yaoxia@chromium.org> wrote:
[Topics] pad topics header to make it harder to expose information via its length
What:
Switch to a different header format to allow padding.
Example: "t=(1;v=chrome.1:1:2), p=P00000000000"There are two possibilities:
- If the user has same version epochs, or no valid epochs, add
padding such that the total length of the padding plus the topics
list equals 27 === the length of "100;v=chrome.1:1:10 200 300".- If the user has different version epochs, add padding such that
the total length of the padding plus the topics list equals 59 ===
the length of
"100;v=chrome.1:1:20 200;v=chrome.1:3:40 300;v=chrome.1:5:60".This assumes maximum 2 digit model version, and maximum 1 digit
config version and taxonomy version.Why: Servers typically have a GET request size limit e.g. 8KB, and
will return an error when the limit is reached. An attacker can rely
this to learn the number of topics for a different origin.Bug: 1443540
Change-Id: Ieadad5730870457ae219f4db30b072f829771ac4Reviewed-on: https://chromium-review.googlesource.com/4553756
WPT-Export-Revision: 707f9e4d4b2a7fcf3e1286baec2d5b81281929a9
|
Assignee | |
Comment 1•1 years ago
|
||
|
|
Assignee | |
Comment 2•1 years ago
|
||
|
|
Assignee | |
Comment 3•1 years ago
|
||
CI Results
Ran 5 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 7 tests and 1 subtests
Status Summary
Firefox
OK : 3
PASS : 10
FAIL : 12
TIMEOUT: 10
ERROR : 1
Chrome
OK : 3
PASS : 10
FAIL : 12
TIMEOUT: 10
ERROR : 1
Safari
OK : 3
PASS : 10
FAIL : 12
TIMEOUT: 10
ERROR : 1
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
- /browsing-topics/browsing-topics-permissions-policy-default.tentative.https.sub.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Default permissions policy allows document.browsingTopics() in the current page.:
FAIL(Chrome:FAIL, Safari:FAIL) - Default permissions policy allows document.browsingTopics() in same-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Default permissions policy allows document.browsingTopics() in cross-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Default permissions policyallows the 'Sec-Browsing-Topics' header to be sent for the same-origin topics fetch request.:
FAIL(Chrome:FAIL, Safari:FAIL) - Default permissions policyallows the 'Sec-Browsing-Topics' header to be sent for the cross-origin topics fetch request.:
FAIL(Chrome:FAIL, Safari:FAIL) - Default permissions policy allows the 'Sec-Browsing-Topics' header to be sent for the same-origin iframe navigation request.:
FAIL(Chrome:FAIL, Safari:FAIL) - Default permissions policy allows the 'Sec-Browsing-Topics' header to be sent for the cross-origin iframe navigation request.:
FAIL(Chrome:FAIL, Safari:FAIL)
- Default permissions policy allows document.browsingTopics() in the current page.:
- /browsing-topics/browsing-topics-permissions-policy-none.tentative.https.sub.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- permissions policy header browsing-topics=() disallows document.browsingTopics() in the current page.:
FAIL(Chrome:FAIL, Safari:FAIL) - permissions policy header browsing-topics=() disallows document.browsingTopics() in same-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - permissions policy header browsing-topics=() disallows document.browsingTopics() in cross-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- permissions policy header browsing-topics=() disallows document.browsingTopics() in the current page.:
- /browsing-topics/browsing-topics-permissions-policy-self.tentative.https.sub.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- permissions policy header browsing-topics=(self) allows document.browsingTopics() in the current page.:
FAIL(Chrome:FAIL, Safari:FAIL) - permissions policy header browsing-topics=(self) allows document.browsingTopics() in same-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - permissions policy header browsing-topics=(self) disallows document.browsingTopics() in cross-origin iframes.:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - permissions policy header browsing-topics=(self)allows the 'Sec-Browsing-Topics' header to be sent for the same-origin topics fetch request.:
FAIL(Chrome:FAIL, Safari:FAIL) - permissions policy header browsing-topics=(self)allows the 'Sec-Browsing-Topics' header to be sent for the redirect of a topics fetch request, where the redirect has a same-origin URL.:
FAIL(Chrome:FAIL, Safari:FAIL) - permissions policy header browsing-topics=(self) allows the 'Sec-Browsing-Topics' header to be sent for the same-origin iframe navigation request.:
FAIL(Chrome:FAIL, Safari:FAIL)
- permissions policy header browsing-topics=(self) allows document.browsingTopics() in the current page.:
- /browsing-topics/fetch-topics.tentative.https.html [wpt.fyi]
- test fetch(<url>, {browsingTopics: true}):
FAIL(Chrome:FAIL, Safari:FAIL)
- test fetch(<url>, {browsingTopics: true}):
- /browsing-topics/iframe-topics-attribute.tentative.https.html [wpt.fyi]
- test <iframe browsingtopics src=[url]></iframe>:
FAIL(Chrome:FAIL, Safari:FAIL)
- test <iframe browsingtopics src=[url]></iframe>:
- /browsing-topics/xhr-topics.tentative.https.html [wpt.fyi]:
ERROR(Chrome:ERROR, Safari:ERROR)- test XHR that sets the deprecatedBrowsingTopics attribtue:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- test XHR that sets the deprecatedBrowsingTopics attribtue:
|
||
Comment 5•1 year ago
|
||
| bugherder | ||
Description
•