Fenced frames #781
Comments
|
A good part of online security depends on a form of cooperation between sites and browsers. Data that a site wants to keep from other sites is kept secret by the browser. All of this is rooted in the same-origin model. There are lots of ways this manifests, with the main protection being the inability of one origin to access the data provided by other origins. For the most part, sites are able to choose what information they share with other sites1. When it comes to privacy, the situation is far more complicated. In general, the web platform aims to maintain contextual integrity, where information exchanged with one site is not available to other sites. This goal is difficult to achieve in light of tracking technologies, especially navigational tracking and fingerprinting. Still, it’s an important goal that helps us set expectations for new platform features: there is broad agreement that new features cannot violate contextual integrity. Fenced frames seek to provide sites with access to information that could break contextual integrity, simultaneously depriving the component that accesses that information from any ability to exfiltrate that information. The browser would be required to prevent content in the fenced frame from communicating with the page that embedded it. That is, rather than relying on cooperation between sites and browsers, it creates a situation where a site is incentivized to try to break out of the constraints set by the browser. The other major part of online security is protecting the computer from malicious sites, which is pretty hard. That part is aided by a lot of structural support in terms of the design of the entire platform, which has been built up over decades with this goal in mind. Fenced frames seek to use a lot of the same platform capabilities, without operating in a framework that has all that established support. On the contrary, a lot of the platform is very hard to secure in this way. The explainer acknowledges this, but offers no solutions; we are no better able to help. This is intended to be generic technology, but there are only two clearly identified use cases for it2:
Our analysis of Protected Audience concluded with a negative position, partly based on fundamental flaws in how Fenced Frames could be abused. The TAG review of the cross-site customization option found that it enabled deceptive design practices and had not considered how the feature might be abused. The TAG chose an “object” resolution in their review, the strongest possible negative position they could take. We agree with the TAG. There are aspects to the idea that are appealing in terms of opening up new capabilities on the platform for secure computation over private information. However, we don’t see the Fenced Frames as a good direction to explore toward that goal. Given all of this, we have to take a negative position on fenced frames as well. Footnotes |
martinthomson
added
venue: W3C CG
Request for Mozilla Position on an Emerging Web Specification
Other information
Fenced frames is a framing isolation primitive designed for maximum isolation between a frame and its embedder, between which no communication is allowed. Compared with iframes, this entails a similar visual experience but radically different processing model. A fenced frame is therefore suitable for (but not required to) hosting cross-site data which must not be joined across contexts. Please note that while the motivation for fenced frames is in part fueled by FLEDGE and Shared Storage, this proposal is entirely independent and stands on its own, and is to be evaluated as such. It can indeed be used independent of those APIs.
/cc @shivanigithub
The text was updated successfully, but these errors were encountered: