-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clear-Site-Data for partitioned storage can be used for cross-site tracking #11
Comments
A couple questions.
It seems to me if the server can know to send a clear-site-data header for an iframe request it could know to send a cookie header. Edit: Or know to respond to an XHR with equivalent state. |
When the user is on site.example as first party website, it makes three requests:
… to which those servers respond with a Clear-Site-Data header to set zeroes for bit 4, 6, and 20 in all partitions at once.
I'm assuming that cookies and website data is partitioned. That's the premise.
When the user is on site.example, site.example can only affect website data for itself and third parties in its partiton. However, if Clear-Site-Data clears data in other partitions, site.example can affect data cross-site, which is why this can be turned into a cross-site tracking vector. |
So this is link decoration then; albeit with only one bit of entropy.
Yes, but the server could still respond with a cookie when it sees your link decoration. The cookie would be stored in the partition cookie jar. Then the cookie state could be queried the same way you propose above (I assume with postMessage). It doesn't seem like clear-site-data is needed at all in this case?
I'm sorry, but I don't understand. Above you had the iframes using link decoration to get the header added in their own partitioned context. I don't see where clear-site-data across partitions is coming in? I do agree clear-site-data affecting across partitions would be an information leak, but is that spec'd or implemented anywhere? |
@mkruisselbrink explained to me that the link decoration is on XHR subresource requests. The issue makes more sense to me now. Sorry for my confusion. It does seem clear-site-data should not cross partition boundaries. |
FWIW, I am told chrome does not honor clear-site-data on 3rd party subresource requests today. It seems the spec does support it, though. |
No, it has nothing to do with link decoration. The URL on bucket4.example.com can be anything, and can be a fixed value. The point is that you establish 32 1-bit values which can be read in third-party context from all partitions.
I don't think your understanding of the attack matches what John is outlining. It's not link decoration. John happened to use a URL with a '?' in it, but that doesn't have to be the case.
That's not what is happening. Let me explain a slightly simpler version in more detail. Imagine each bucketN.example supports three URLs:
Now, imagine User visits Later, the user visits On the next visit to In summary, a
|
Having read this thread, I'm missing an explanation for:
|
The attacker would have to navigate the user to or open popups for on average 16 bucket domains to set the zeroes in those partitions. 16 because it’s half of 32 in the 32 bit user ID. For tracking at scale, this would have to be done continuously, for instance once a day or week to set the zeroes in the partitions of any new websites the user has visited. |
Is that assuming that it would also clear the partitioned data of that origin? |
Right, that is the issue. If Clear-Site-Data clears for all partitions, or can do so, it opens up for this attack. |
Therefore,
Right? I suspect (2) is roughly right, so that having Is there any disagreement about the desired state for this, or is it just that specs need to be updated to use the terminology about keying that this Work Item hasn't yet added to the Storage spec? |
I'm not aware of disagreement on making a change, it just needs to be specified (with appropriate tests, ideally). Storage spec does not yet provide the right infrastructure for this, but the Clear Site Data spec does not currently have a dependency on Storage. It seems right to me that either (1) or (2) from #11 (comment) would avoid this vulnerability. Note also: there's a proposal to add an API that does something similar to the Storage Living Standard, care must be taken to avoid the vulnerability in that case as well. |
The Storage Standard will take over part of the definition of whatwg/storage#88 discusses how |
@bakulf and I discussed how I'm not comfortable allowing site A to remove storage of site B, even if site B is partitioned under A. This is a side channel that A can exploit to interfere with code running in B. As such, I argue that 1 in #11 (comment) is the best answer for "storage" and I believe an equivalent answer for "cookie" can be found (we really need a more formalized cookie standard). 1 would still allow B to clear storage if it so desires (if it's partitioned under A, only those partitioned-under-A bits would be cleared). Unfortunately, it is much less clear what a good answer for "cache" is and my current position is that we remove that, as we "did" with "executionContexts" before (see w3c/webappsec-clear-site-data#59). A possibility might be that we origin-match on cached URLs within the scope of the top-level site, which is how it works today but adjusted for a partitioned world, but that is a rather inelegant operation. (From the various types to clear "cache" does not have a strong motivation outlined in the document either.) |
@jkarlin mentioned that "cache" was problematic for Chrome too and would get back with details. Given the side channels, there was agreement on to restricting clearing of "storage" and "cookie" to a storage shelf and whatever will be equivalent for cookies. A concern that was raised is that this will not permit a site (really an origin) to clear all the bits related to it in the user agent without assistance from the user (and even then it would depend on available UI). I.e., a site (really an origin) can only clear its non-partitioned storage/cookies or a single top-level-bound instance of partitioned storage/cookies through this header. |
@jkarlin any update here? |
It's a slow operation in Chrome today. We don't keep the URL in the in-memory index (just a hash of the url), and have to open each entry to get the full URL and decide if we want to delete the file or not (if it matches the site to delete). We could improve things by adding the site (or partition key) to the index, at the expense of more memory to optimize for this one feature which I'd rather not do unless it saw a lot of usage. I agree on clearing at the shelf (partition) level as opposed to globally due to the side-channel. I can't speak to whether clearing the cache should be included in clear-site-data. I don't know how many sites are using it today and if they're counting on that cache clearing. |
Thanks, it's highly likely Firefox will remove "cache" given the problems it poses and the lack of advocacy for its support. That Safari doesn't yet implement |
Over the past 28 days, Josh is quite right that it's slow, however: |
As an update, Firefox has unshipped "cache" support (see https://bugzilla.mozilla.org/show_bug.cgi?id=1671182) and thus far there have been no reports of breakage. |
Currently, when a site sends the Clear-Site-Data response header with the "cookies" string, we clear all cookies for the request URL's domain. After CHIPS, https://github.com/WICG/CHIPS, we want the Clear-Site-Data to clear cookies set with the Partitioned attribute only if their cookie partition key matches the partition key derived from the request's NetworkIsolationKey. This additional constraint prevents sites abusing the Partitioned attribute and Clear-Site-Data in order to construct a cross-site identifier. For more information on this vector for abuse, see privacycg/storage-partitioning#11 which discusses it in the context of partitioned storage since the same principle applies to cookies. Bug: 1225444 Change-Id: Icee3bc17d5ac1559e9591c0c90c466043bd22696 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3249211 Reviewed-by: Giovanni Ortuno Urquidi <ortuno@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Oleh Lamzin <lamzin@google.com> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Reviewed-by: Christian Dullweber <dullweber@chromium.org> Commit-Queue: Dylan Cutler <dylancutler@google.com> Cr-Commit-Position: refs/heads/main@{#955781}
Currently, when a site sends the Clear-Site-Data response header with the "cookies" string, we clear all cookies for the request URL's domain. After CHIPS, https://github.com/WICG/CHIPS, we want the Clear-Site-Data to clear cookies set with the Partitioned attribute only if their cookie partition key matches the partition key derived from the request's NetworkIsolationKey. This additional constraint prevents sites abusing the Partitioned attribute and Clear-Site-Data in order to construct a cross-site identifier. For more information on this vector for abuse, see privacycg/storage-partitioning#11 which discusses it in the context of partitioned storage since the same principle applies to cookies. Bug: 1225444 Change-Id: Icee3bc17d5ac1559e9591c0c90c466043bd22696 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3249211 Reviewed-by: Giovanni Ortuno Urquidi <ortuno@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Oleh Lamzin <lamzin@google.com> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Reviewed-by: Christian Dullweber <dullweber@chromium.org> Commit-Queue: Dylan Cutler <dylancutler@google.com> Cr-Commit-Position: refs/heads/main@{#955781} NOKEYCHECK=True GitOrigin-RevId: 108a4192b48ffbcea07f7e2e4e92a526d3390012
This will prevent Clear-Site-Data from being abused for cross-site tracking [1] when partitioned cookies are enabled by default. [1]: privacycg/storage-partitioning#11 Old behavior: Clear-Site-Data could clear unpartitioned cookies from any context. New behavior: Clear-Site-Data cannot clear unpartitioned cookies if it came from a response where 3P cookie blocking applies. In both cases, CSD will delete partitioned cookies in the current partition. Low-Coverage-Reason:Some files have trial changes that do not impact behavior. Bug: 1416655 Change-Id: Ieed1e050f8f376b7d7704b4948c8f59adc21a17f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4312585 Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: Dylan Cutler <dylancutler@google.com> Reviewed-by: Christian Dullweber <dullweber@chromium.org> Reviewed-by: Oleh Lamzin <lamzin@google.com> Cr-Commit-Position: refs/heads/main@{#1118080}
…ocking" This reverts commit d27d506. Reason for revert: New test is failing on https://ci.chromium.org/ui/p/chrome/builders/ci/linux-chromeos-chrome/31221/overview clear_site_data_handler_browsertest.cc(788): Expected equality of these values: 0u Which is: 0 cookies.size() Which is: 1 Original change's description: > Make Clear-Site-Data: "cookies" respect third-party cookie blocking > > This will prevent Clear-Site-Data from being abused for cross-site > tracking [1] when partitioned cookies are enabled by default. > > [1]: privacycg/storage-partitioning#11 > > Old behavior: Clear-Site-Data could clear unpartitioned cookies from any context. > > New behavior: Clear-Site-Data cannot clear unpartitioned cookies if it came from a response where 3P cookie blocking applies. > > In both cases, CSD will delete partitioned cookies in the current partition. > > Low-Coverage-Reason:Some files have trial changes that do not impact behavior. > > Bug: 1416655 > Change-Id: Ieed1e050f8f376b7d7704b4948c8f59adc21a17f > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4312585 > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> > Reviewed-by: Maks Orlovich <morlovich@chromium.org> > Reviewed-by: Daniel Murphy <dmurph@chromium.org> > Commit-Queue: Dylan Cutler <dylancutler@google.com> > Reviewed-by: Christian Dullweber <dullweber@chromium.org> > Reviewed-by: Oleh Lamzin <lamzin@google.com> > Cr-Commit-Position: refs/heads/main@{#1118080} Bug: 1416655 Change-Id: I029da51c8049fff9b8a2d49ac53b3243b2e3435c No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4346993 Owners-Override: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/heads/main@{#1118169}
…ocking" This is a reland of commit d27d50661e822cb64daec040041b5eabd2642969 Original change's description: > Make Clear-Site-Data: "cookies" respect third-party cookie blocking > > This will prevent Clear-Site-Data from being abused for cross-site > tracking [1] when partitioned cookies are enabled by default. > > [1]: privacycg/storage-partitioning#11 > > Old behavior: Clear-Site-Data could clear unpartitioned cookies from any context. > > New behavior: Clear-Site-Data cannot clear unpartitioned cookies if it came from a response where 3P cookie blocking applies. > > In both cases, CSD will delete partitioned cookies in the current partition. > > Low-Coverage-Reason:Some files have trial changes that do not impact behavior. > > Bug: 1416655 > Change-Id: Ieed1e050f8f376b7d7704b4948c8f59adc21a17f > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4312585 > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> > Reviewed-by: Maks Orlovich <morlovich@chromium.org> > Reviewed-by: Daniel Murphy <dmurph@chromium.org> > Commit-Queue: Dylan Cutler <dylancutler@google.com> > Reviewed-by: Christian Dullweber <dullweber@chromium.org> > Reviewed-by: Oleh Lamzin <lamzin@google.com> > Cr-Commit-Position: refs/heads/main@{#1118080} Bug: 1416655 Change-Id: I19deff390906e1d2fb7f990543d8ea5c438b4717
…ocking" This is a reland of commit d27d50661e822cb64daec040041b5eabd2642969 Original change's description: > Make Clear-Site-Data: "cookies" respect third-party cookie blocking > > This will prevent Clear-Site-Data from being abused for cross-site > tracking [1] when partitioned cookies are enabled by default. > > [1]: privacycg/storage-partitioning#11 > > Old behavior: Clear-Site-Data could clear unpartitioned cookies from any context. > > New behavior: Clear-Site-Data cannot clear unpartitioned cookies if it came from a response where 3P cookie blocking applies. > > In both cases, CSD will delete partitioned cookies in the current partition. > > Low-Coverage-Reason:Some files have trial changes that do not impact behavior. > > Bug: 1416655 > Change-Id: Ieed1e050f8f376b7d7704b4948c8f59adc21a17f > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4312585 > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> > Reviewed-by: Maks Orlovich <morlovich@chromium.org> > Reviewed-by: Daniel Murphy <dmurph@chromium.org> > Commit-Queue: Dylan Cutler <dylancutler@google.com> > Reviewed-by: Christian Dullweber <dullweber@chromium.org> > Reviewed-by: Oleh Lamzin <lamzin@google.com> > Cr-Commit-Position: refs/heads/main@{#1118080} Bug: 1416655 Change-Id: I19deff390906e1d2fb7f990543d8ea5c438b4717
…ocking" The failure in the rollback [1] is because one cookie was not cleared when the first CSD header is sent in clear_site_data_handler_browsertest.cc. This should only be possible if 3P cookie blocking is already enabled at the beginning of the test. To patch this, I explicitly disable 3PCB at the start of the test. To be conservative, I also explicitly enable the partitioned cookies feature so that it does not rely on the environment's default. Right now, partitioned cookies are enabled via the field trial testing config. [1]: https://ci.chromium.org/ui/p/chrome/builders/ci/linux-chromeos-chrome/31221/overview This is a reland of commit d27d506 Original change's description: > Make Clear-Site-Data: "cookies" respect third-party cookie blocking > > This will prevent Clear-Site-Data from being abused for cross-site > tracking [1] when partitioned cookies are enabled by default. > > [1]: privacycg/storage-partitioning#11 > > Old behavior: Clear-Site-Data could clear unpartitioned cookies from any context. > > New behavior: Clear-Site-Data cannot clear unpartitioned cookies if it came from a response where 3P cookie blocking applies. > > In both cases, CSD will delete partitioned cookies in the current partition. > > Low-Coverage-Reason:Some files have trial changes that do not impact behavior. > > Bug: 1416655 > Change-Id: Ieed1e050f8f376b7d7704b4948c8f59adc21a17f > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4312585 > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> > Reviewed-by: Maks Orlovich <morlovich@chromium.org> > Reviewed-by: Daniel Murphy <dmurph@chromium.org> > Commit-Queue: Dylan Cutler <dylancutler@google.com> > Reviewed-by: Christian Dullweber <dullweber@chromium.org> > Reviewed-by: Oleh Lamzin <lamzin@google.com> > Cr-Commit-Position: refs/heads/main@{#1118080} Bug: 1416655 Change-Id: I10e54ba18587c7c9a838e79dd52a535b5e8ff751 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4346675 Reviewed-by: Christian Dullweber <dullweber@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Commit-Queue: Dylan Cutler <dylancutler@google.com> Reviewed-by: Oleh Lamzin <lamzin@google.com> Reviewed-by: Andrey Zaytsev <andzaytsev@google.com> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Cr-Commit-Position: refs/heads/main@{#1119580}
Back when WebKit considered whether or not to implement Clear-Site-Data, we noted that clearing partitioned data upon receiving that header can be used for cross-site tracking purposes. Since not many others were considering partitioned storage at the time, we never filed issues about it, at least not that I'm aware of.
The attack is about one first party site having control over website data under another first party site.
Imagine site.example registering these 33 domains: haveSetPartitionedData.example and bucket1.example through bucket32.example.
site.example runs script in the first party context on a great many websites. As part of its execution on those sites, it injects 33 invisible iframes for the domains mentioned above.
Let's say site.example is executing its script on news.example. If a cross-site user ID has not yet been planted yet for news.example, the haveSetPartitionedData.example iframe will not have website data yet and communicates to the bucket1.example through bucket32.example iframes to start fresh. The bucket1.example through bucket32.example iframes all store '1' in their partitioned storage and report back to the haveSetPartitionedData.example iframe when they are done. Now the haveSetPartitionedData.example iframe stores the fact that 32 '1's have been stored in the news.example partiton.
Every time the user visits site.example, site.example gets to see its unpartitioned cookies which identifies the user. Let's say it uses a 32-bit ID for the user. It now makes sure to send Clear-Site-Data response headers matching the '0's in the unpartitioned cookie ID for the corresponding bucket domains. For example, let's say the user ID has '0's in bit 4, 6, and 20. Then site.example would make sure website data is cleared for bucket4.example, bucket6.example, and bucket20.example.
Now when the user visits news.example, the haveSetPartitionedData.example's iframe will have website data set and communicates to the bucket1.example through bucket32.example iframes to report their '1's and '0's (no website data means '0') to the site.example script on news.example.
Voilà, cross-site user ID established.
Only accepting Clear-Site-Data from the current first party website would mitigate this attack but not fix it. Further, if this attack is combined with browser/device fingerprinting, it only needs to add enough cross-site bits to reach ≈32 bits in total.
The text was updated successfully, but these errors were encountered: