w3c/network-error-logging

One origin can set a policy for a different origin

zcorpan opened this issue · 3 comments

https://github.com/w3c/network-error-logging/blob/gh-pages/EXPLAINER.md#security-and-privacy-aspects says

NEL reports are only visible to the server administrator.

You cannot use NEL to collect reports about servers or websites that you don't control. NEL is configured separately for each origin, and is only enabled for secure connections. Before using a NEL policy to create a report about a request, we verify that the policy was received from the same server that is handling that request. (This helps prevent, for instance, using a DNS rebinding attack with NEL to collect information about a user's internal network.)

https://w3c.github.io/network-error-logging/#choose-a-policy-for-an-origin says

Given an origin (origin), this algorithm determines which NEL policy in the policy cache should be used to generate reports for network requests to origin.

  1. If there is an entry in the policy cache for origin:
    1. Let policy be that entry.
    2. If policy is not expired, return it.
  2. For each parent origin that is a superdomain match of origin:
    1. If there is an entry in the policy cache for parent origin:
      1. Let policy be that entry.
      2. If policy is not expired, and its subdomains flag is include, return it.
    2. Return no policy.

superdomain match is defined as

Superdomain Match

If a label-for-label match between an entire Known HSTS Host's
domain name and a right-hand portion of the given domain name
is found, then this Known HSTS Host's domain name is a
superdomain match for the given domain name. There could be
multiple superdomain matches for a given domain name.

For example:

Given domain name (DN): qaz.bar.foo.example.com

Superdomain matched
Known HSTS Host DN: bar.foo.example.com

Superdomain matched
Known HSTS Host DN: foo.example.com

So origin ("https", "foo.example.com", 443) can set a policy for the origins (any scheme, "anything.foo.example.com", any port), correct? But only if HSTS is used? The details of how this is intended to work, how it is actually defined to work, are unclear to me.

Is ("https", "foo.example.com", 443) the same server as ("wss", "staging.foo.example.com", 8080) ?

Why isn't a simple origin check used?

Hi Simon, thanks for the feedback! The tl;dr here is that it's only "superdomain matches" that don't use the regular, simple origin equality check, and that superdomain matches can only be used to report information about DNS resolution. The bits that you've quoted combine with steps 7 and 8 in §5.4 to ensure that's true. (The goal here is to allow the owner of that part of the DNS tree to see errors about DNS resolution for the domain names that they have control over, without being able to collect information about any third-party services hosted on those domains.)

So for reports about successful requests, or about requests that fail at any point after DNS resolution, the behavior that you suggest is what will happen: we'll only pay attention to a NEL policy that matches the exact same origin as the request itself.

Thanks. I had missed step 8 in §5.4. Maybe a note can be added to clarify this?

Closing; there's a note now in §5.4 that reads:

"This step ensures that subdomain NEL policies can only be used to generate reports about subdomains of the policy origin during the DNS resolution phase of a request. See 9. Privacy Considerations for more details."