Design Review #596

#596: Review request: Partitioning Network State

Opened Jan 12, 2021

HIQaH! QaH! TAG!

I'm requesting a TAG review of partitioning network state.

We propose to use the network partition key to partition connections and certain other network information, and only use state with a matching key for requests, in addition to whatever the object was previously keyed on. This will increase the eviction rate of various object types, since resource limitations require there be limits on the amount stored network objects. These limits do potentially leak information across network partition keys when evicting data, but addressing that is beyond the scope of this proposal.

Explainer
Specification URL
- Connection pooling portion of the fetch spec
GitHub repo
Tests: fetch/connection-pool/ (Only covers H1 sockets)
Security and Privacy self-review: https://github.com/MattMenke2/Explainer---Partition-Network-State/blob/main/security-privacy-questionnaire.md
Primary contact:
- Matt Menke (@MattMenke2), Google
Organization driving the specification: Google
Key pieces of existing multi-stakeholder review or discussion of this specification:
- This is an extension of partitioning the disk cache, which was reviewed at https://github.com/w3ctag/design-reviews/issues/424
- Main update to the fetch spec: https://github.com/whatwg/fetch/pull/1063
- Privacy CG list of bits of storage that leak data across-sites https://github.com/privacycg/storage-partitioning
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
- FireFox intent to ship: https://groups.google.com/g/mozilla.dev.platform/c/uDYrtq1Ne3A
- WebKit supports this: https://webkit.org/status/#?search=client-side%20storage%20partitioning
- Chrome status entry: https://www.chromestatus.com/guide/edit/6713488334389248

Further details:

I have reviewed the TAG's API Design Principles
The group where the work on this specification is currently being done:
- Fetch spec / WHATWG.
Major unresolved issues with or opposition to this specification:
- Should additional information be added to the partition key, beyond top-frame site?
  - Chromium adds innermost iframe site
- Should origin be used instead of site? Main concern about using origin instead is performance.
- The explainer lists a number of areas not yet covered.
- Some areas mentioned in the explainer currently aren't specified all, or are only covered by low level protocol specs (e.g., TLS session resumption cache, ALPN cache)
This work is being funded by: Google

You should also know that...

While the explainer doesn't cover these, as it only covers cross-browser behaviors, in Chromium we intend to shard NEL and Reporting data by network partition key as well, for the moment. Both of these specs are in draft form, currently, and the reporting spec is moving towards making reporting information document-scoped, which will remove the need for reporting information to be keyed on network partition, since it will no longer have its own global cache. The NEL spec will also need to be updated to take this into account. Chromium will, of course, ultimately implement these standards as specified.

Also, the bits of this that are implemented in different browsers may not perfectly match - FireFox's intent covers HTTP auth, for instance, which is something the explainer doesn't yet cover, and which may require further spec work.

We'd prefer the TAG provide feedback as: 🐛 open issues in our GitHub repo for each point of feedback

Discussions

2021-01-Kronos

Minutes

Left comment about potential harm to end users re power and bandwidth consumption, but overall OK with this. Suggested mitigation for timing attacks aside from partitioning.

2021-04-26

Minutes

Tess: i want to investigate : to what extent does ths proposed spec match the partitioning that other ... already do. And whow can we find interop? There's a storage partitioning discussion in privacyCG group... That may include networking state stuff.

Yves: knowing if the partitioning of network state.. different process, thread for each tab then it's likely that they will be partitioned by default...

Tess: different browsers have different process architectures. Webkit has a network process that is distinct - so you could theoretically share network state between different browser parts.

Yves: ... many things that require buy-in from vebdors.

Tess: lots of moving parts.

Yves: goal is to avoid timing attacks - it's a good thing - but the question is : is there a consensus amongst browsers that it's a good way to do it?

Tess: will do more reading...

Yves: we can leave feedback asking for evidence of interop and vendor buy-in...

Peter: foundation key... everything else is based on - should be talking to the people working on storage partition keys.

Tess: some browsers double-key and some browsers triple-key...

Yves: having current partioning policies depending on caches, network state, etc...

Peter: confusing in their explainer: they propose using the 2-value key as a triple key.

Tess: THERE ARE 4 LIGHTS!!!

Dan: 😂

Hadley: additional network partition key?

Peter: top level site plus the iframe site. Network partition key is where you're using the key. Http cache partitioning ... [in some parts] double keying seems like single-keying...

Tess: I'll do it.

2021-05-Arakeen

Minutes

Propose close.

Draft closing comment from @hober:

Hi @MattMenke2!

@ylafon and I took a look at this during a breakout this week. Overall we're really happy that you're tackling this work; it's really important to the future of the Web.

I think whatever we do, SW (and all storage) should ideally be partitioned by network partition key. If you have B->C->B and use the full path as the key, the inner B would have its own SW, which would certainly a bit funky.

We have a separate design review request that came in recently, Partitioning Storage, Service Workers, and Communication APIs, and that for them, cookies and network stack related state is out of scope. We hope that you're working with them to make sure that the SW/storage partitioning key is the same as the one you're proposing.

We note that the multi-vendor effort to coordinate on all these types of partitioning questions is happening in the Privacy CG's storage-partitioning repo, which you're hopefully already aware of and pitching in on, which will help ensure that all implementations converge on the same partitioning keys for each kind of partitioned data or state.

Mostly our concern is that there are so many related-but-distinct efforts going on here, we want to make sure that we don't end up with subtly-different and incompatible solutions in each case of partitioning.

Thanks for bringing this to us, and please don't hesitate to come back to us if there are substantive changes that you'd like us to take a look at.