Internet DRAFT - draft-thomson-wpack-content-origin
draft-thomson-wpack-content-origin
wpack M. Thomson
Internet-Draft Mozilla
Updates: 6454 (if approved) 9 March 2020
Intended status: Standards Track
Expires: 10 September 2020
Content-Based Origins for the Web
draft-thomson-wpack-content-origin-00
Abstract
Making content available to clients that are unable or unwilling to
contact a web origin enables new means of acquiring content. This
document describes a method for taking application state accumulated
by an offline user agent in relation to a piece of content and making
that state available in a fully online context. This enables
continuous use of content, starting from a state where the user agent
does not contact an origin and ending with
This document proposes an update to the definition of Origin in RFC
6454. It also proposes changes that would affect HTML, which is
outside of the remit of the IETF.
Note to Readers
Discussion of this document takes place on the WPACK Working Group
mailing list (wpack@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/wpack/
(https://mailarchive.ietf.org/arch/browse/wpack/).
Source for this draft and an issue tracker can be found at
https://github.com/martinthomson/wpack-content
(https://github.com/martinthomson/wpack-content).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
Thomson Expires 10 September 2020 [Page 1]
�
Internet-Draft Content-Based Origins March 2020
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 September 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
3. Overview and Comparisons . . . . . . . . . . . . . . . . . . 4
3.1. Offline-to-Online Transition for Content-Based Origins . 4
3.2. Offline-to-Online Transition for Signed Exchanges . . . . 5
3.3. Comparison with Signed Exchanges . . . . . . . . . . . . 7
3.4. Comparison with Unsigned Bundles . . . . . . . . . . . . 7
4. Content-Based Origin Definition . . . . . . . . . . . . . . . 8
4.1. Content Type Malleability . . . . . . . . . . . . . . . . 9
4.2. Hash Agility . . . . . . . . . . . . . . . . . . . . . . 9
5. Transfer to HTTPS Origin . . . . . . . . . . . . . . . . . . 10
5.1. Successful Transfer . . . . . . . . . . . . . . . . . . . 10
5.2. Unsuccessful Transfer . . . . . . . . . . . . . . . . . . 11
5.3. Transfer Target . . . . . . . . . . . . . . . . . . . . . 12
5.4. State Transfer . . . . . . . . . . . . . . . . . . . . . 12
5.4.1. Transfer of Content . . . . . . . . . . . . . . . . . 13
5.4.2. Transfer of Storage . . . . . . . . . . . . . . . . . 13
5.4.3. Transfer of Permissions . . . . . . . . . . . . . . . 14
5.5. Navigation Transfers . . . . . . . . . . . . . . . . . . 14
5.6. Communication Between Origins . . . . . . . . . . . . . . 15
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1. Normative References . . . . . . . . . . . . . . . . . . 15
8.2. Informative References . . . . . . . . . . . . . . . . . 16
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
Thomson Expires 10 September 2020 [Page 2]
�
Internet-Draft Content-Based Origins March 2020
1. Introduction
The web relies on the concept of origins [ORIGIN] as the primary
means of identification for resources. A strongly authenticated
HTTPS origin is the basis for many security decisions. However,
establishing this identity relies on having an active TLS [TLS]
connection to a server that is considered authoritative for the
origin; see Section 11 of [HTTP].
A user agent that is offline when content is received cannot
establish this authority. Similarly, a user agent might be unwilling
to contact a server at the time that content is received. One reason
for not contacting a server might be to avoid leaking information
about the context in which content was referenced. In either case,
content cannot be attributed to the origin at the time it is
received.
In operation, content might be delivered by any means other than a
TLS connection to the intended server. Then there might be a period
during which the content is used. For instance, the content might be
a web page that is capable of functioning offline, though certain
functions might be unavailable.
At some after content is received, the user agent might want to
establish a connection to the server and continue use. True
continuity of use could depend on state established during the period
that the user agent did not contact the server.
This document proposes a design whereby content can be ascribed an
identity that is based solely on that content. Together with a means
of transferring control over state established by one origin to
another, this allows content to be delivered offline and used with
the ability to transition to a full online interaction with a web
server.
Content-based origins are proposed as an alternative to signed
exchanges [SXG], which ascribe an HTTPS origin to content through the
use of signatures. Signed exchanges depends on finding a way to
modify the core concept of web origins that allows for object-based
authority. Signed exchanges avoid any problems arising from transfer
of state between origins. However, a fundamental change to the way
in which authority is determined requires the use of a number of
safeguards. These safeguards contain both technical mechanisms and
usage constraints. These constraints could be operationally
challenging to meet, but violating them could have consequences for
security.
Thomson Expires 10 September 2020 [Page 3]
�
Internet-Draft Content-Based Origins March 2020
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the term "user agent" consistent with the usage in
both [HTTP] and [HTML]. Colloquially, "user agent" is a web browser.
3. Overview and Comparisons
This section provides an overview of how content-based origins might
be used and compares that to designs based on signed exchanges.
The most interesting scenario involves the transition from an state
where the target origin has not been contacted (that is, the user
agent is either offline or effectively so), to one where the user
agent contacts the target origin (the user agent is online).
3.1. Offline-to-Online Transition for Content-Based Origins
For a content-based origin, content is loaded from a bundle. After
loading the bundle, the browser treats content in the bundle as
existing in an origin unique to the content of the bundle; see
Section 4.
If the bundle contains a transfer target URL (see Section 5.3), the
browser then attempts to load that resource, providing an indication
to the target origin that a transfer from the content-based origin is
possible. If the origin accepts the transfer of state, state is
transferred from the content-based origin to the target origin. This
sequence is shown in Figure 1.
Thomson Expires 10 September 2020 [Page 4]
�
Internet-Draft Content-Based Origins March 2020
+---------------+
| Load Bundle |
+---------------+
|
v
+---------------+ +---------+
Aborted +-----| Content-Based |=======| State |
Transfer +---->| Origin | +---------+
+---------------+ :
| State Transfer :
| IFF Origin Accepts :
v v
+---------------+ +---------+
| Online at |=======| State |
| Target Origin | +---------+
+---------------+
Figure 1: State Transfer for Content-Based Origins
Failure to connect to the target origin - such as when the browser
has no active Internet connection - causes the redirect to be
aborted. The browser continues to display the bundle content.
If the origin does not accept the transfer, the browser shows content
from the target origin and any state from the bundle is destroyed.
3.2. Offline-to-Online Transition for Signed Exchanges
With [LOADING] and [SXG], content is loaded from a signed bundle.
After loading the bundle, if the signature is considered valid, the
browser stores bundled content in a cache that is specific to the
target origin. The browser then redirects to the request (or target)
URL from the bundle. The browser uses content from the bundle in
place of fetching from the origin. This is illustrated in Figure 2.
Thomson Expires 10 September 2020 [Page 5]
�
Internet-Draft Content-Based Origins March 2020
+-----------------+
| Load Bundle |
+-----------------+
| ..If signature is trusted...
v : :
+-----------------+ : +-----------------+ :
| Check Signature +------>| Store Exchanges | :
+-----------------+ : +-----------------+ :
Redirect | : :
v : :
+-----------------+ : +-----------------+ :
| Online at |<------| Use Exchanges | :
| Request URL | : +-----------------+ :
+-----------------+ :...........................
Figure 2: Content Use with Signed Exchanges
Having signed content from the bundle allows use of that content
prior to connecting to the origin. Importantly, it allows
attribution of any operations to that origin. Optimizations that
otherwise might not be possible are enabled because resources from
the bundle can be treated as if they were loaded from the target
origin, but the browser does not need to make a request to the
origin.
Critically, if the browser is fully offline, it can decide to operate
with the bundle without having to connect to the origin. If the
bundled content is signed and trusted, the application to operate
offline. Any actions performed act on state for the target origin.
Note: While Service Workers [SERVICE-WORKERS] can offer a similar
experience, they require that the browser be online initially to
load the service worker script. This design requires no prior
interaction with the target origin.
Relative to content-based origins, the use of signatures avoids the
need to connect to the target origin and confirm knowledge of the
content. For cases where the transition to online status is intended
to be immediate, signed exchanges allow a redirect to happen without
any requests being made. A signed exchange will therefore display
content that is attributed to the target origin faster.
Failure to validate a signature causes a redirect to an online
location. If the client is offline, that origin will be
inaccessible. If the client is online, none of the optimizations
afforded by the bundle are available and this appears to be a normal
redirection.
Thomson Expires 10 September 2020 [Page 6]
�
Internet-Draft Content-Based Origins March 2020
[[Note that it is unclear whether a browser might be able to fall
back to treating a signed bundle as unsigned if the signature is
bad.]]
3.3. Comparison with Signed Exchanges
Signed exchanges attempt to address the problem of attributing
content to an origin. In effect, they add an object-based security
model to the existing channel-based model used on the web.
Signatures over bundles (or parts thereof) are used by an origin to
attest to the contents of a bundle.
Having two security models operate in the same space potentially
creates an exposure to the worst properties of each model. To reduce
the chances that the drawbacks of the newly-added object-based model
affect existing channel-based usages, signed exchanges include a
number of hardening measures. In addition to signatures, there are
required modifications to certificates, constraints on validity
periods, and a range of limitations on the types of content that can
be signed.
In comparison, content-based origins do not require signatures.
Questions of validity only apply at the point that a state transfer
is attempted. However, this has drawbacks also. Content is not
attributed to origins and state is not available to an online origin
until a transfer is complete. This avoids the complexity inherent to
merging two different security models, but the process of state
transfer could be quite complicated in practice.
In terms of usability, the identity attributed to content from a
content-based origin is opaque and not particularly relatable.
Though state might eventually be adopted by some origin,
communicating the true status of content could be challenging.
Finally, content-based origins aren't prevented from interacting with
HTTP origins, which could lead to surprising outcomes if existing
code is poorly unprepared for this possibility.
3.4. Comparison with Unsigned Bundles
Unsigned bundles [UNSIGNED] proposes a model whereby bundles served
by a given origin could be declared to be part of that origin and
trusted. Unsigned bundles would otherwise be considered untrusted
and would be isolated in some fashion. This is similar to the way in
which a content-based origin might be transferred to a target origin.
That proposal divides bundles into trusted and untrusted bundles.
Trusted bundles would be able to access state from the origin that
served them.
Thomson Expires 10 September 2020 [Page 7]
�
Internet-Draft Content-Based Origins March 2020
In comparison, content-based origins would always be used for bundles
and the distinction between trusted and untrusted is unnecessary.
Content from the bundle would be usable to a target origin that
accepts a state transfer.
4. Content-Based Origin Definition
A content-based origin ascribes an identity to content based on the
content itself. For instance, a web bundle [BUNDLE] is assigned a
URI based on its content alone.
The sequence of bytes that comprises the content or bundled content
is hashed using a hash function that is strongly resistant to
collision and pre-image attack, such as SHA-256 [SHA-2]. The
resulting hash is encoded using the Base 64 encoding with an URL and
filename safe alphabet [BASE64].
This can be formed into the ASCII or Unicode serialization of an
origin based on the Named Information URI scheme [NI]. This URI is
formed from the string "ni:///", the identifier for the hash
algorithm (see Section 9.4 of [NI]); a semi-colon (";"), and the
base64url encoding of the hash function output. Though this uses the
ni URL form, the authority and query strings are omitted from this
serialization.
For instance, the origin of content comprising the single ASCII
character 'a' is represented as "ni:///sha-
256;ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs".
In tuple form, the origin is comprised of the scheme ("ni") and a
host equal to the concatenation of hash algorithm identifier, semi-
colon, and base64url-encoded hash function output. The port number
is always absent for an origin in this form.
Design Note: This design currently assumes that there won't be a
hash-based URI scheme developed for bundles. It would be vastly
preferable to have a URI scheme for bundled content. It would
then be possible to reference content in a bundle from outside the
bundle, and internal references could be canonicalized.
Importantly, state transfer could also be initiated _toward_
another bundle. That could be used to upgrade bundles and other
nice features.
This definition of origin for named information ("ni://") URIs
extends the definition of origin in Section 4 of [ORIGIN].
Thomson Expires 10 September 2020 [Page 8]
�
Internet-Draft Content-Based Origins March 2020
4.1. Content Type Malleability
The hash used to generate this origin does not include any indication
of content type or the source of information. If it were possible
for the same content to be interpreted as valid instances of multiple
different content types, that might be exploited by an attacker.
A user agent SHOULD enact a policy of only attributing a content-
based origin to content that is unambiguously interpreted in a single
form. If it were possible for content to be interpreted as valid for
multiple content types and those could be attributed to the same
content-based origin, that might be exploited by an attacker. A
sample policy might only allow web bundles and HTML files to be
assigned a content-based origin; as the first bytes of these formats
are unambiguously different, this ensures that the same content to be
interpreted as valid for both content types.
4.2. Hash Agility
This design depends to some extent on the hash algorithm remaining
constant during the time that the content-based origin is used. A
change in hash algorithm changes the identity of the resource.
It is possible to transfer state from a content-based origin derived
using one hash algorithm to another without affecting the content of
the origin itself. It is not often that content depends on knowing
its own identity. However, the identity of the origin might be made
visible to other origins. For instance, the window.postMessage API
[HTML] allows content to target a specific origin for sending
messages and to identify the source origin of incoming messages.
For the purposes of determining equality, user agents might consider
hashes of the same content with different hash algorithms to be
equal. For instance, a user agent might consider "sha-
256:ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs" to be equal to "sha-
384;VKWbnyKwuAiA2EJ-VIt8I6vYc0huHwNdzpzWl-
hRdQM8qojm1XvDXvrgta_TFF8x". This requires that this equivalence is
known to the user agent.
Of the hash algorithms defined in [NI], only "sha-256" is permitted
for use with content-based origins. This usage has no need for a
truncated hash as the value does not usually need to be manually
entered. Furthermore, the use of multiple hash algorithms introduces
complexity.
Thomson Expires 10 September 2020 [Page 9]
�
Internet-Draft Content-Based Origins March 2020
5. Transfer to HTTPS Origin
In order to transfer state to a target origin, the server for that
origin needs to be contacted. Initiating transfer likely requires
that an API be defined for use by the content of the bundle.
Transfer might be automatically initiated when navigating to a URL
from a bundle; see Section 5.5.
A transfer is only possible where a transfer target URL is known for
content; see Section 5.3.
After a state transfer is initiated, the user agent fetches the
transfer target URL. The source content is hashed twice; once as
described in Section 4; then the resulting value is hashed again.
The twice-hashed value is encoded into a Sec-Content-Origin header
field and added to the request for the transfer target URL. If a
Sec-Content-Origin header field in the response contains the hash of
the content (that is, the pre-image of the value in the request),
that indicates that the server is both willing to receive the
transfer and that the server knows the content.
The value of the Sec-Content-Origin header field is expressed as a
structured header [SH] dictionary with keys being the hash algorithm
identifier (from [NI]) and byte sequence values of the hash.
Multiple values can be provided with different hash algorithm
identifiers. The values from the response correspond to the values
in the request with the same hash algorithm identifier. For the
transfer to be successful, clients MUST validate that at least one
value in the response hashes to the corresponding value in the
request; clients SHOULD validate all provided values. If the content
does not hash to the any provided value, the transfer is
unsuccessful.
Note: The response to a state transfer can be served from cache.
5.1. Successful Transfer
If the transfer is successful, state associated with the content-
based origin will be transferred to the target origin. The user
agent MAY either remember the identity of the content-based origin
and consider any content-based origin to be equal to the transferred
origin.
For example, assuming that a single 'a' character is valid content,
then the client would include the following in a request (line breaks
are added to examples for formatting reasons):
Thomson Expires 10 September 2020 [Page 10]
�
Internet-Draft Content-Based Origins March 2020
Sec-Content-Origin:
sha-256=:v106/7c+/S7Gw2rTES3ZM+/tY8Thy//PqI4nWcFE8tg=:
A successful state transfer would occur if the response from the
server included:
Sec-Content-Origin:
sha-256=:ypeBEsobvcr6wjGzmiPcTaeG7/gUfE5yuYB3ha/uSLs=:
A user agent that automatically follows redirections (3xx status
codes) MUST allow the server to redirect to a resource that provides
the response. Redirection can change the origin that ultimately
accepts the transfer. Any redirection to an origin that is not
strongly authenticated MUST cause the transfer to fail.
After a successful transfer, the user agent MAY treat the content-
based origin as an alias for the origin to which state was
transferred. This aliasing might be particularly useful in
addressing hash agility; see Section 4.2.
5.2. Unsuccessful Transfer
A transfer can be unsuccessful in two ways. If the target origin
cannot be contacted successfully, the content-based origin continues
to exist. Any API might indicate that the attempt failed. Failure
to transfer state is expected when the user agent is offline. After
failing to contact the target origin, a transfer can be attempted at
a later time. This causes navigation to fail and the user agent MAY
display a URL from the content-based origin.
[[TODO: Again, this requires that we define a means of identification
for content inside bundles.]]
A valid, final HTTP response that indicates anything other than a
server error (that is, 5xx status codes) or lack of authority (the
421 status code [HTTP2]) without including the hash pre-image in the
response MUST be treated as a failed migration. After a failed
migration, information about the target origin SHOULD be removed from
interfaces related to the content-based origin, except for diagnostic
purposes. The content-based origin MAY continue to exist but further
attempts to transfer state MUST immediately fail.
After a valid HTTP response, the user agent navigates to the transfer
target URL or any resource that was included in any redirections.
Any valid HTTP response, successful or not, MUST cause data
associated with the content-based origin to be cleared as though
clear-site-data were invoked [CLEAR-DATA].
Thomson Expires 10 September 2020 [Page 11]
�
Internet-Draft Content-Based Origins March 2020
5.3. Transfer Target
To enable transfer, content MUST include an attribute that indicates
the transfer target URL. If a bundle could contain multiple
potential entry points, each entry point for the bundle would
separately specify a different transfer target URL.
[[Intuitively, it seems prudent to limit transfer target URLs in the
same bundle to the same origin, but I don't have a concrete reason
for doing so right now.]]
A transfer target URL does not need to be specified if the intent is
to never support the ability to transfer to an online state.
The origin of the transfer target URL is the target origin. Only the
target origin can be the target of a state transfer. After a
successful transfer, the user agent loads the transfer target URL.
Note: Including the transfer target URL in content means that the
content hash is dependent on its value. This ensures that
different content-based origins are produced if different transfer
target URLs are used. Two different origins cannot share state.
A commitment in this form could allow user agents to present the
target origin in interfaces. While no strong assurances can be made
about the attribution of content to this origin, this might make it
easier to generate user interfaces.
Different content types might provide a way of encoding the transfer
target URL. The URL could be provided external to the content, but
this requires some unspecified means of ensuring that the content-
based origin depends on the value of the URL; this document only
supports content that can encode the transfer target URL.
5.4. State Transfer
Only limited state information can be transferred between origins.
This is limited to those items that are identified here, or those
that are added in later extensions. This document describes how
content (Section 5.4.1), stored data Section 5.4.2), and permissions
Section 5.4.3 are transferred.
Upon successful completion of transfer, if loading the transfer
target resource produces an HTML document, an event is delivered to
content of that resource that describes what information was
transferred.
Thomson Expires 10 September 2020 [Page 12]
�
Internet-Draft Content-Based Origins March 2020
A user agent MAY request user permission to transfer some state.
This might be conditioned on what state is being transferred. For
instance, a user agent might prompt before transferring permissions
[PERMISSIONS]; see Section 5.4.3.
5.4.1. Transfer of Content
How content that is delivered in the bundle is used by the target
origin is probably the most important aspect of any design in this
space. This document proposes that all content in the bundle is
adopted by the origin after a transfer completes.
This design means that bundles need a way to describe how all their
resources map to URLs in the target origin. If it is possible for
bundles to contain content from multiple origins, content from other
origins won't be accessible after transfer without first making a
request to the other origin.
Content loaded from a bundle MUST NOT be made available for use by
origins other than the target origin. For example, if the bundle
includes a script that maps to a URL on the target origin and a site
at another origin loads that script, then the user agent fetches the
script. The user agent MAY use a conditional request with If-None-
Digest [IF-DIGEST] and the Digest header field [DIGEST] to reduce the
overhead of these requests at its discretion, noting that this might
introduce observable timing signals.
Restricting content to use by the target origin avoids the negative
effects described in [SRI-ADDRESSABLE]. The target origin is
required to demonstrate knowledge of the contents of the bundle,
which prevents that origin from being poisoned by an attacker. For
origins other than the target origin, content cannot be emplaced
through the use of a bundle.
Alternative methods for transfer of content might require per-
resource confirmation by the origin. That might be loosened so that
resources that use Subresource Integrity [SRI] do not require
confirmation. But that increases the need to provide integrity
attributes at the point that resources are referred to. If content
is fetched programmatically, that might be operationally challenging.
5.4.2. Transfer of Storage
Upon transfer, any indexedDB databases [INDEXEDDB] are transferred to
the target origin. The names of any databases are prefixed with the
origin from which they came. If a database with the same name exists
at the destination, a new name is selected.
Thomson Expires 10 September 2020 [Page 13]
�
Internet-Draft Content-Based Origins March 2020
The event that indicates transfer will list the databases that were
transferred, their names and any name changes.
5.4.3. Transfer of Permissions
As part of a state transfer, any persistent permissions that a user
granted the content-based origin might be transferred to the target
origin.
Whether any given permission is transferred and what conditions are
attached to the transferral will depend on the policy of the user
agent. It might be considered best to discard permissions and
request each anew as necessary. As transferral is a one-time event,
causing prompts to be reinitiated might not be too much of an
imposition.
5.5. Navigation Transfers
Initiating transfer on navigation enables pre-loading of content from
bundles.
To address this use case, the user agent navigates to a bundle. That
bundle might be served from the site providing the link to ensure
that information about the linking page is not revealed to the target
origin prior to navigation.
Navigating to the bundle causes an immediate load of the content of
the bundle. This assumes that there is either a URL component that
specifies a single entry point for the bundle or that the bundle
itself identifies the entrypoint.
If a transfer target URL is specified for the target resource, the
user agent navigates to that URL. The user agent MUST fetch the
transfer target URL and include a Sec-Content-Origin header field in
the request as described in Section 5. This request MAY also include
the ETag header field from the bundled content.
Using If-None-Digest [IF-DIGEST] allows the resource at the transfer
target URL to return a 304 (Not Modified) status code in response to
a request if the content provided in the bundle known to the server
to be sufficient.
The result is that the state from the bundle is transferred to the
target origin. As the navigation is immediate, no state will have
been created within the bundle so the transfer of state can be
skipped by the browser if navigation from a previously unused
content-based origin is successful. It is possible that the content-
Thomson Expires 10 September 2020 [Page 14]
�
Internet-Draft Content-Based Origins March 2020
based origin might have previously used, in which case state
transferrance might occur.
5.6. Communication Between Origins
Without knowledge of the content of a resource, or bundle of
resources, a content-based origin will be impossible to guess. This
means that communication is only possible if the frame in which the
content is loaded by the origin attempting communication, or the
content is known to that origin.
6. Security Considerations
This design avoids questions about having to attribute authority to a
static bundle of content. Instead, it creates a new origin type and
enables the transfer of state from one origin to another. The target
origin can decide whether to accept a transfer, thereby avoiding any
questions of poisoning of content. If content is found to be
compromised, an origin can subsequently refuse to accept a transfer
from that content.
Transfer of state to an origin with an "http://" origin is not
possible. This mechanism depends on the target origin being strongly
authenticated.
7. IANA Considerations
[[TODO: Register the Sec-Content-Origin header field. Probably a lot
more.]]
8. References
8.1. Normative References
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[BUNDLE] Yasskin, J., "Bundled HTTP Exchanges", Work in Progress,
Internet-Draft, draft-yasskin-wpack-bundled-exchanges-02,
26 September 2019, <http://www.ietf.org/internet-drafts/
draft-yasskin-wpack-bundled-exchanges-02.txt>.
[HTTP] Fielding, R., Nottingham, M., and J. Reschke, "HTTP
Semantics", Work in Progress, Internet-Draft, draft-ietf-
httpbis-semantics-07, 7 March 2020, <http://www.ietf.org/
internet-drafts/draft-ietf-httpbis-semantics-07.txt>.
Thomson Expires 10 September 2020 [Page 15]
�
Internet-Draft Content-Based Origins March 2020
[HTTP2] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015,
<https://www.rfc-editor.org/info/rfc7540>.
[NI] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B.,
Keranen, A., and P. Hallam-Baker, "Naming Things with
Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013,
<https://www.rfc-editor.org/info/rfc6920>.
[ORIGIN] Barth, A., "The Web Origin Concept", RFC 6454,
DOI 10.17487/RFC6454, December 2011,
<https://www.rfc-editor.org/info/rfc6454>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[SH] Nottingham, M. and P. Kamp, "Structured Headers for HTTP",
Work in Progress, Internet-Draft, draft-ietf-httpbis-
header-structure-14, 28 January 2020,
<http://www.ietf.org/internet-drafts/draft-ietf-httpbis-
header-structure-14.txt>.
[SXG] Yasskin, J., "Signed HTTP Exchanges", Work in Progress,
Internet-Draft, draft-yasskin-http-origin-signed-
responses-08, 4 November 2019, <http://www.ietf.org/
internet-drafts/draft-yasskin-http-origin-signed-
responses-08.txt>.
8.2. Informative References
[CLEAR-DATA]
West, M., "Clear Site Data", W3C ED, 13 November 2017,
<https://w3c.github.io/webappsec-clear-site-data/>.
[DIGEST] Polli, R. and L. Pardue, "Digest Headers", Work in
Progress, Internet-Draft, draft-ietf-httpbis-digest-
headers-01, 3 November 2019, <http://www.ietf.org/
internet-drafts/draft-ietf-httpbis-digest-headers-01.txt>.
[HTML] WhatWG, ., "HTML", WhatWG Living Standard, 4 March 2020,
<https://html.spec.whatwg.org/>.
Thomson Expires 10 September 2020 [Page 16]
�
Internet-Draft Content-Based Origins March 2020
[IF-DIGEST]
Thomson, M., "Conditional HTTP Requests Using Digests",
Work in Progress, Internet-Draft, draft-thomson-http-if-
digest-00, 9 March 2020, <https://tools.ietf.org/html/
draft-thomson-http-if-digest-00>.
[INDEXEDDB]
Alabbas, A. and J. Bell, "Indexed Database API 3.0",
W3C ED, 29 February 2020,
<https://w3c.github.io/IndexedDB/>.
[LOADING] Yasskin, J., "Loading Signed Exchanges", 21 February 2020,
<https://wicg.github.io/webpackage/loading.html>.
[PERMISSIONS]
Lamouri, M., Cáceres, M., and J. Yasskin, "Permissions",
W3C ED, 30 October 2019,
<https://w3c.github.io/permissions/>.
[SERVICE-WORKERS]
Russell, A., Song, J., Archibald, J., and M.
Kruisselbrink, "Service Workers 1", W3C ED, 24 February
2020, <https://w3c.github.io/ServiceWorker/v1/>.
[SHA-2] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[SRI] Akhawe, D., Braun, F., Marier, F., and J. Weinberger,
"Subresource Integrity", W3C ED, 4 January 2020,
<https://w3c.github.io/webappsec-subresource-integrity/>.
[SRI-ADDRESSABLE]
Hill, B., "Subresource Integrity Addressable Caching", 15
October 2016, <https://hillbrad.github.io/sri-addressable-
caching/sri-addressable-caching.html>.
[TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[UNSIGNED] Yasskin, J., "Navigation to Unsigned Web Bundles", 20
February 2020,
<https://github.com/WICG/webpackage/blob/master/
explainers/navigation-to-unsigned-bundles.md>.
Thomson Expires 10 September 2020 [Page 17]
�
Internet-Draft Content-Based Origins March 2020
Acknowledgments
This work is hardly original, nor is it an individual effort.
[[TODO: acknowledge.]]
Author's Address
Martin Thomson
Mozilla
Email: mt@lowentropy.net
Thomson Expires 10 September 2020 [Page 18]
