Use "least restrictive" directive instead of prefetch-src

noamr · noamr · commit 04c1f65bcb13 · 2022-12-19T12:55:37.000+02:00
When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important. e.g. if this resource is a script and would be disallowed by `script-src`, the directive would be invoked again when the response is about to be consumed and would be rejected then. The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it. Closes w3c#542
diff --git a/index.bs b/index.bs
@@ -2156,7 +2156,6 @@ this algorithm returns normally if compilation is allowed, and throws a
                                <a>img-src</a> <a grammar>'self'</a>;
                                <a>manifest-src</a> <a grammar>'self'</a>;
                                <a>media-src</a> <a grammar>'self'</a>;
-                               <a>prefetch-src</a> <a grammar>'self'</a>;
                                <a>object-src</a> <a grammar>'self'</a>;
                                <a>script-src-elem</a> <a grammar>'self'</a>;
                                <a>script-src-attr</a> <a grammar>'self'</a>;
@@ -2186,7 +2185,6 @@ this algorithm returns normally if compilation is allowed, and throws a
                                <a>img-src</a> <a grammar>'self'</a>;
                                <a>manifest-src</a> <a grammar>'self'</a>;
                                <a>media-src</a> <a grammar>'self'</a>;
-                               <a>prefetch-src</a> <a grammar>'self'</a>;
                                <a>object-src</a> <a grammar>'self'</a>;
                                <a>script-src-elem</a> https://example.com;
                                <a>script-src-attr</a> <a grammar>'self'</a>;
@@ -2703,74 +2701,6 @@ this algorithm returns normally if compilation is allowed, and throws a
 
   4.  Return "`Allowed`".
 
-  <h4 id="directive-prefetch-src">`prefetch-src`</h4>
-
-  The <dfn export>prefetch-src</dfn> directive restricts the URLs from which resources may be
-  prefetched or prerendered. The syntax for the directive's name and value is described by the
-  following ABNF:
-
-  <pre>
-    directive-name  = "prefetch-src"
-    directive-value = <a grammar>serialized-source-list</a>
-  </pre>
-
-  <div class="example">
-    Given a page with the following Content Security Policy:
-
-    <pre>
-      <a http-header>Content-Security-Policy</a>: <a>prefetch-src</a> https://example.com/
-    </pre>
-
-    Fetches for the following code will return network errors, as the URLs provided do not match
-    `prefetch-src`'s <a>source list</a>:
-
-    <pre highlight="html">
-      &lt;link rel="prefetch" src="https://example.org/"&gt;&lt;/link&gt;
-      &lt;link rel="prerender" src="https://example.org/"&gt;&lt;/link&gt;
-    </pre>
-  </div>
-
-  <h5 algorithm id="prefetch-src-pre-request">
-    `prefetch-src` Pre-request check
-  </h5>
-
-  This directive's <a for="directive">pre-request check</a> is as follows:
-
-  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):
-
-  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
-      on |request|.
-
-  2.  If the result of executing [[#should-directive-execute]] on |name|,
-      `prefetch-src` and |policy| is "`No`", return "`Allowed`".
-
-  3.  If the result of executing [[#match-request-to-source-list]] on |request|,
-      this directive's [=directive/value=], and |policy|,
-      is "`Does Not Match`", return "`Blocked`".
-
-  4.  Return "`Allowed`".
-
-  <h5 algorithm id="prefetch-src-post-request">
-    `prefetch-src` Post-request check
-  </h5>
-
-  This directive's <a for="directive">post-request check</a> is as follows:
-
-  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
-  <a for="/">policy</a> (|policy|):
-
-  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
-      on |request|.
-
-  2.  If the result of executing [[#should-directive-execute]] on |name|,
-      `prefetch-src` and |policy| is "`No`", return "`Allowed`".
-
-  3.  If the result of executing [[#match-response-to-source-list]] on |response|,
-      |request|, this directive's [=directive/value=], and |policy|,
-      is "`Does Not Match`", return "`Blocked`".
-
-  4.  Return "`Allowed`".
-
   <h4 id="directive-script-src">`script-src`</h4>
 
   The <dfn export>script-src</dfn> directive restricts the locations from which scripts
@@ -3794,16 +3724,41 @@ this algorithm returns normally if compilation is allowed, and throws a
   algorithm returns the violated <a>directive</a> if the request violates the
   policy, and "`Does Not Violate`" otherwise.
 
-  1.  Let |violates| be "`Does Not Violate`".
+  1.  If |request|'s [=request/initiator=] is "`prefetch`", then return the result of executing
+      [[#does-resource-hint-violate-policy]] on |request| and |policy|.
 
-  2.  <a for=set>For each</a> |directive| of |policy|:
+  2.  Let |violates| be "`Does Not Violate`".
+
+  3.  <a for=set>For each</a> |directive| of |policy|:
 
       1.  Let |result| be the result of executing |directive|'s
           <a for="directive">pre-request check</a> on |request| and |policy|.
 
       2.  If |result| is "`Blocked`", then let |violates| be |directive|.
 
-  3.  Return |violates|.
+  4.  Return |violates|.
+
+  <h5 id="does-resource-hint-violate-policy">
+    Does resource hint |request| violate |policy|?
+  </h5>
+
+  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|), this
+  algorithm returns the default <a>directive</a> if the resource-hint request violates all the
+  policies, and "`Does Not Violate`" otherwise.
+
+  1. Let |defaultDirective| be |policy|'s first [=directive=] whose [=directive/name=] is
+      "`default-src`".
+
+  2. If |defaultDirective| does not exist, return "`Does Not Violate`".
+
+  3. <a for=set>For each</a> |directive| of |policy|:
+
+      1.  Let |result| be the result of executing |directive|'s
+          <a for="directive">pre-request check</a> on |request| and |policy|.
+
+      2. If |result| is "`Allowed`", then return "`Does Not Violate`".
+
+  4. Return "`Blocked`".
 
   <h5 id="match-nonce-to-source-list" algorithm>
     Does |nonce| match |source list|?
