Making Web Applications secure by default

[ghost]

Request for Mozilla Position on an Emerging Web Specification

• Specification Title: Offline first Web Applications
• Specification or proposal URL: Web Applications should not have internet access by default w3c/webappsec#578

Other information

The web has been conceived as a way of displaying information to users, within a sandbox that is not secure by default (open to internet and to the hosting server). With the development of new technologies facilitating user inputs, the modern web made possible the conception of Web Applications into that insecure environment primarily designed for web documents but not for applications. In consequence we now need to make Web Applications secure by default by making them offline first and granting them internet access only via fine-grained and user-controlled permissions.

[ghost]

Related Proposals

Web Bundles

A mechanism of distribution for Web Applications as binary bundles
https://wicg.github.io/webpackage/draft-yasskin-wpack-bundled-exchanges.html

Unlike websites, which are directly reachable via an URL into the browser, Web Applications can be distributed as binary Web Bundles that are first downloaded by the user and then launched into the browser.

Script Tag extension: Per-Module Network Isolation

whatwg/html#6547
Per-Module Network isolation in script tag ensures that an offline first Web Application can use network access in an easily auditable and secure way, by isolating the parts of the application that require network access

Deprecation of "cross-origin-policy" in favor of a declarative network isolation of insecure HTML tags

whatwg/html#6553
The extension of declarative network isolation to all insecure HTML tags allow fine-grained control of network policies directly from within the HTML, which is more in line with the HTML specification than "cross-origin-policy" and is easier to reason about for web-developers.

Declarative cross-origin communication in iframe and popup tags via Shared Worker

whatwg/html#6555

Building up on declarative network isolation for insecure HTML tags, we can now very easily and securely establish declarative cross-origin communication flows between a website, an iframe and a popup window, by leveraging the Shared Worker technology.

[josephrocca]

There is some related discussion here: https://bugs.chromium.org/p/chromium/issues/detail?id=995236

[ghost]

@josephrocca, the chromium bug above expresses indeed the same concern of being able to restrict network access for the application, in the context of a PWA, in order to achieve a better security model and to protect the user, and not only the computer as is doing the browser sandbox.

However, PWAs are "enhanced" websites directly served from an URL, and in order to actually load the scripts, such as:

<script type="module" src="app.js"></script>

the main document needs to have network access, meaning that the main document is not offline-first in a PWA, which poses a security issue.

In the context of a Web Bundled Application, where all the resources already exist "client-side" at launch time, the main document does not need network access, and therefore, it can load a script such as the one above without declaring a network permission for the script tag with an allow-net attribute in the head of the document. I have updated (whatwg/html#6553) so that it is clearer that security can be best achieved for Web Applications in the context of a Web Bundle.

[annevk]

This isn't concrete enough to evaluate. Please get back to us once there's a processing model of sorts.

[ghost]

Please get back to us once there's a processing model of sorts.

Can you please explain what do you mean by "processing model of sorts" ?

[annevk]

A specification that's concrete enough so it can be implemented in a browser, such as Firefox.