e28349efcc
Automatic update from web-platform-tests
[Topics] pad topics header to make it harder to expose information via its length
What:
Switch to a different header format to allow padding.
Example: "t=(1;v=chrome.1:1:2), p=P00000000000"
The total length of the inner topics list plus the padding depends on the number of distinct version in the underlying epochs:
- If it's 0 or 1, use 27
("100;v=chrome.1:1:10 200 300")
- If it's 2, use 43
("100;v=chrome.1:1:10 200;v=chrome.1:1:20 300")
- If it's 3, use 59
("100;v=chrome.1:1:10 200;v=chrome.1:1:20 300;v=chrome.1:1:30")
This assumes maximum 3 digit topic ID, 2 digit model version,
and 1 digit config version and taxonomy version.
Why: Servers typically have a GET request size limit e.g. 8KB, and
will return an error when the limit is reached. An attacker can rely
this to learn the number of topics for a different origin.
Bug: 1443540
Change-Id: Ieadad5730870457ae219f4db30b072f829771ac4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4553756
Commit-Queue: Yao Xiao <yaoxia@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1150078}
--
wpt-commits: 4c27189ed2db4ddad8e727d4ea9ae8329c3e1672
wpt-pr: 40209
60 lines
2.6 KiB
HTML
60 lines
2.6 KiB
HTML
<!doctype html>
|
|
<body>
|
|
<script src=/resources/testharness.js></script>
|
|
<script src=/resources/testharnessreport.js></script>
|
|
<script src=/browsing-topics/resources/header-util.sub.js></script>
|
|
<script src=/browsing-topics/resources/permissions-policy-util.sub.js></script>
|
|
<script>
|
|
'use strict';
|
|
const header = 'permissions policy header browsing-topics=()';
|
|
|
|
promise_test(async t => {
|
|
try {
|
|
await document.browsingTopics();
|
|
} catch (e) {
|
|
assert_equals(e.message, TOPICS_PERMISSIONS_POLICY_ERROR_MESSAGE);
|
|
return;
|
|
}
|
|
assert_unreached("did not reject");
|
|
}, header + ' disallows document.browsingTopics() in the current page.');
|
|
|
|
async_test(t => {
|
|
test_topics_feature_availability_in_subframe(t, /*is_same_origin=*/true,
|
|
expect_topics_feature_unavailable);
|
|
}, header + ' disallows document.browsingTopics() in same-origin iframes.');
|
|
|
|
async_test(t => {
|
|
test_topics_feature_availability_in_subframe(t, /*is_same_origin=*/false,
|
|
expect_topics_feature_unavailable);
|
|
}, header + ' disallows document.browsingTopics() in cross-origin iframes.');
|
|
|
|
const same_origin_url = '/browsing-topics/resources/check-topics-request-header.py';
|
|
const cross_origin_url = 'https://{{domains[www]}}:{{ports[https][0]}}' +
|
|
same_origin_url;
|
|
|
|
promise_test(async t => {
|
|
let response = await fetch(same_origin_url, {browsingTopics: true});
|
|
let topics_header = await response.text();
|
|
assert_equals(topics_header, "NO_TOPICS_HEADER");
|
|
}, header + 'disallows the \'Sec-Browsing-Topics\' header to be sent for the same-origin topics fetch request.');
|
|
|
|
promise_test(async t => {
|
|
let response = await fetch(cross_origin_url, {browsingTopics: true});
|
|
let topics_header = await response.text();
|
|
assert_equals(topics_header, "NO_TOPICS_HEADER");
|
|
}, header + 'disallows the \'Sec-Browsing-Topics\' header to be sent for the cross-origin topics fetch request.');
|
|
|
|
async_test(t => {
|
|
test_topics_iframe_navigation_header(
|
|
t, /*has_browsing_topics_attribute=*/true, /*is_same_origin=*/true,
|
|
expect_topics_header_unavailable);
|
|
}, header + ' disallows the \'Sec-Browsing-Topics\' header to be sent for the same-origin iframe navigation request.');
|
|
|
|
async_test(t => {
|
|
test_topics_iframe_navigation_header(
|
|
t, /*has_browsing_topics_attribute=*/true, /*is_same_origin=*/false,
|
|
expect_topics_header_unavailable);
|
|
}, header + ' disallows the \'Sec-Browsing-Topics\' header to be sent for the cross-origin iframe navigation request.');
|
|
</script>
|
|
</body>
|