Design Review #655

#655: Capability Delegation

Opened Jun 30, 2021

Ya ya yawm TAG!

I'm requesting a TAG review of Capability Delegation.

"Capability delegation" means allowing a frame to relinquish its ability to call a restricted API and transfer the ability to another (sub)frame it trusts. The focus here is a dynamic delegation mechanism which exposes the capability to the target frame in a time-constrained manner (unlike <iframe allow=...> attribute which is not time-constrained).

Explainer: https://wicg.github.io/capability-delegation/
Specification URL: https://wicg.github.io/capability-delegation/spec.html
Tests: Not available yet.
Security and Privacy self-review: https://github.com/WICG/capability-delegation/blob/main/security_and_privacy_questionnaire.md
GitHub repo: WICG/capability-delegation
Primary contacts (and their relationship to the specification):
- Mustaq Ahmed (@mustaqahmed), Google
Organization(s)/project(s) driving the specification: Google Chrome
Key pieces of existing multi-stakeholder review or discussion of this specification:
- Stripe publicly supported this proposal in the WICG discourse thread.
- Web Payments spec issue.
- A comment from HTML editor about fixing a Screen Capture issue.
- This proposal also addresses concerns raised in this related TAG review.
External status/issue trackers for this specification: https://www.chromestatus.com/feature/5708770829139968

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines:
The group where the work on this specification is currently being done: WICG
The group where standardization of this work is intended to be done: WHATWG and Web Payments
Major unresolved issues with or opposition to this specification: None so far
This work is being funded by: Google Chrome

You should also know that our previous TAG request to delegate user activation raised valid concerns about being too generic, so we limited the scope of delegation here to a particular API. More details can be found in this section in the design doc.

We'd prefer the TAG provide feedback as: 🐛 open issues in our GitHub repo for each point of feedback

Discussions

2021-09-20

Minutes

Dan: 8 days ago work going on on the spec

Ken: payment integration...

Sangwhan: I see what they're trying to solve, this makes sense. Doesn't seem compatible with.... the capability delegation protocol and capabilities should probably be aligned with what we have in permission policy

Ken: yeah, what capabilities is this going to apply to?

Sangwhan: right now it's payment request

Ken: and fullscreen

Sangwhan: it's in the example and they've been thinking about it but current origin trial is just for payment request. The use case is fine. Seems a little bit unaligned with permission policy. It should be delegating a permission based on a user activation and request? If you're delegating an iframe to be able to do getusermedia based on the parent being granted getusermedia... should that be possible or should that be a separate permission? if you do getusermedia request on an iframe you're going to get a permission request on a different origin than what the user is looking at.. that's weird.

Dan: i was tracking down multi implementer support angle.. Chrome status page says positive feedback from Mozilla but when I followed that link it goes to a mozilla standards position where Anne says "I'm not 100% sure I understand this correctly" but does say agree it seems useful... but I think this is more.. positive engagement.

Sangwhan: not affirmative

Dan: yeah

Sangwhan: a bunch of unanswered questions, the fact that user activiation doesn't pass through iframes correctly at least from a scripting perspective is problematic. it is a user activation but in certain cases it doesn't work from an end user perpsective which is confusing. User activation gating is our problem not their problem as an end user. i have to think about this more. I can see the utility, definitely. There's a problem that needs to be solved, just don't know if the proposed api is the right way to approach it.

Dan: leaves comment. Come back to it at plenary.

2021-10-25

Minutes

Peter: this one we're happy with.

Rossen: right. here the thing is you want to be able to grab a capability and propogate it down to an iframe... the way you do this is for any nested iframe you can request to have a capability delegated. For example giving it the ability to handle payments. Making e.g. Stripe work in an iframe as a payment handler. Removing friction in payment is a key factor. Great use case. This delegates down feature capabilities. All the privacy control features as part of webappsec permissions policy. Feature wise it makes sense. By delegating the capability you delegate it to anything inside that iframe. They can further delegate it to someone else. Don't know if it's preventable. The other thing that jumped out: as you read their doc - the privacy & security section - they're claiming that the capability doesn't allow provisions to sensors. Not true - it does allow camera, gyroscope, etc... you can delegate device access through that feature. I've asked them to document that in their security & privacy section.

Peter: some background - the capabilities includes the user activation state... they did delegate the capability of user activation... that way we're not baking in the user activation.

Hadley: what's the difference?

Peter: not just the permission. some things require user activation. You could delegate the permission but not have the user activation state. becuase the parent frame got the user activation state.

Hadley: is it possible for a webapp with access to camera and microphone and had an iframe for advertisers - is it possible the advertiser would get access without me being aware?

Rossen: yes although they could that today....

Dan: some possibility here - getusermedia for example in a peer to peer webrtc session..

Peter: we could restrict the capability to delegate to a subset of capabilities.

Rossen: i would be more worried about webusb or webshare...

Peter: parent frame... Payment processing...

Rossen: the exploit path is to impersonate myfavstore.com - i fool you into thinking you're buying a new headset. ... if I already fooled you on the top level document if I give it to a subframe it doesn't really matter. The payment capability is decent. the scenario is defendable. When it comes to device capability we need to tighten down. Maybe we can tighten the allow list to only a subset of what's listed in permissions policy.

Dan: i think that makes sense - don't open the floodgates to all the capabilities...

Hadley: i second that.

Rossen: I like that. In that case my proposal is to keep the issue open and feed that back and see if they're ok with that.

Peter: their explainer mentions a few use cases - i don't think they want to expose everything.

Rossen: it's in the spec itself. in Section 3.

Hadley: Adding that comment sounds good to me.