"no-cors" CSS SOP violation

[annevk]

Per our current set of definitions a service worker reveals what resources a "no-cors" CSS stylesheet attached to a document loads. In particular this can leak confidential tokens in the URLs.

Entered the public record here: http://krijnhoetmer.nl/irc-logs/whatwg/20150703#l-286

According to @jakearchibald resource timing (paging @igrigorik) did this first, in both Chrome and Firefox.

I think we should revert both, seems like bad precedent to cut more holes in SOP.

[jakearchibald]

Most requests by CSS are exposed through computed styles, and it's pretty trivial to iterate over all elements to find those. Things like font urls & @import cannot be detected through computed styles, but are exposed by SW & resource timing.

I see CSS more like script, although it's "opaque", it gives up some visibility when it makes requests within the context of the page. Although, as @annevk points out, script gives up visibility by using globals that can be modified, whereas CSS doesn't.

[annevk]

https://bugzilla.mozilla.org/show_bug.cgi?id=1180145 tracks this for Gecko.

[jakearchibald]

@davidben @mikewest what's your take here, are we (and resource priorities) breaking the web by exposing CSS-initiated fetches?

[igrigorik]

Opened a bug on Resource Timing to track this (w3c/resource-timing#27).

[jakearchibald]

Ping @davidben @mikewest

We have two options here:

1. Declare CSS-triggered fetches as "page visible" as they are with script-triggered fetches. However, this is leaking new data when it comes to URLs that don't appear in computed styles. Eg font sources, @import urls.
2. as Anne suggests, remove these from the resource timing API & bypass serviceworker for these requests.

This will trip developers up who host their CSS on a CDN, as it's less likely to have access-control-allow-origin, but it's not worth breaking the web over.

[igrigorik]

@jakearchibald silly question: if you hide CSS fetches from SW, how am I supposed to offline my app with background images and fonts? Wouldn't that effectively mean that "if you want to be SW-compatible, you should avoid CSS fetches"... because that would break the web. I don't see why we're making this distinction between JS and CSS (JS fetches are "computed fetches" also).

[annevk]

No-cors cross-origin CSS subresources would be hidden. Any other kind of CSS subresources would not be hidden. So there's still plenty of ways to do business. (JavaScript fetches are already observable, as explained upthread.)

[jakearchibald]

@igrigorik

if you hide CSS fetches from SW, how am I supposed to offline my app with background images and fonts?

CSS fetches would only be hidden from SW if the CSS is no-cors cross-origin. You'd be able to get them back with <link rel="stylesheet" href="…" crossorigin>, provided CORS headers.

[igrigorik]

CSS has no author-level equivalent for "crossorigin" for fetches declared via url() - i.e. I can't specify a CORS policy on resources specified within the CSS file. As such, all url() initiated fetches (read, almost all CSS fetches modulo some odd exceptions like web fonts), would become invisible? Unless I'm missing something here, that would break the web.

Why can SW see and intercept no-cors crossorigin <img> initiated fetches, but same use case then fails under CSS? This seems inconsistent and broken.

p.s. the whole crossorigin business is a total mess - see w3c/resource-hints#32.

[annevk]

No, it depends on how the CSS resource was fetched. Not on how the CSS resource's subresources are fetched.

[igrigorik]

@annevk ah, ok.. So, coming back to @jakearchibald earlier point, what exactly would be "hidden" here if most URLs are already observable through computed styles? Jake called out fonts earlier, but afaik, those are visible via http://dev.w3.org/csswg/css-font-loading/.

[annevk]

Those observable through computed styles are only exposed if you know where to look, which can be expensive. Very different characteristics from getting a list. And e.g. @import is not affected by that. And it might very well be that CSS font loading has a bug too if it's claiming to be available for no-cors CSS.

[annevk]

@tabatkins ^^