{"id":330184,"date":"2020-12-17T08:07:33","date_gmt":"2020-12-17T16:07:33","guid":{"rendered":"https:\/\/css-tricks.com\/?p=330184"},"modified":"2020-12-22T13:04:19","modified_gmt":"2020-12-22T21:04:19","slug":"i-learned-to-love-the-same-origin-policy","status":"publish","type":"post","link":"https:\/\/css-tricks.com\/i-learned-to-love-the-same-origin-policy\/","title":{"rendered":"I learned to love the Same-Origin Policy"},"content":{"rendered":"\n<p>I spent a good chunk of my work life this year trying (in collaboration with the amazing <a href=\"https:\/\/github.com\/noamr\" rel=\"noopener\">Noam Rosenthal<\/a>) to standardize a new web platform feature: a way to modify the intrinsic size and resolution of images. And hey! <a href=\"https:\/\/github.com\/whatwg\/html\/pull\/5574#issuecomment-709847966\" rel=\"noopener\">We did it!<\/a> But boy, was it ever a <em>learning experience<\/em>.<\/p>\n\n\n\n<p>This wasn&#8217;t my first standardization rodeo, so many of the issues we ran into, I more-or-less anticipated. <a href=\"https:\/\/lists.webkit.org\/pipermail\/webkit-dev\/2020-March\/031143.html\" rel=\"noopener\">Strong negative feedback<\/a> from browsers. <a href=\"https:\/\/github.com\/httpwg\/http-extensions\/issues\/1102\" rel=\"noopener\">Weird, unforeseen gotchas<\/a> with the underlying primitives. <a href=\"https:\/\/discourse.wicg.io\/t\/proposal-exif-image-resolution-auto-and-from-image\/4326\" rel=\"noopener\">A complete re-think<\/a> or <a href=\"https:\/\/discourse.wicg.io\/t\/proposal-exif-image-resolution-auto-and-from-image\/4326\/24\" rel=\"noopener\">two<\/a>. What I didn&#8217;t anticipate though, was that our proposal \u2014 which, again, was \u201conly\u201d about modifying the default display size of images \u2014 would run afoul of the fundamental privacy and security principles of the web. Because before this year, I didn&#8217;t really understand those principles.<\/p>\n\n\n\n<p>Let me set the table a bit. What were we trying to do?<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>By default, images on the web show up exactly as big as they are. Embedding an 800\u00d7600 image? Unless you stretch or shrink that image with CSS or <a href=\"https:\/\/codepen.io\/eeeps\/pen\/vYXNVrx\" rel=\"noopener\">markup<\/a>, that&#8217;s exactly how large it&#8217;s going to be: 800 CSS pixels across, and 600 CSS pixels tall. That&#8217;s the image&#8217;s <em>intrinsic (aka <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/HTMLImageElement\/naturalWidth\" rel=\"noopener\">&#8220;natural&#8221;<\/a>) size<\/em>. Another way to put this is that, by default, all images on the web have an <em>intrinsic density<\/em> of 1\u00d7.<\/p>\n\n\n\n<p>That&#8217;s all well and good, until you&#8217;re trying to serve up <a href=\"http:\/\/usecases.responsiveimages.org\/#device-pixel-ratio-based-selection\" rel=\"noopener\">high<\/a>-, <a href=\"https:\/\/www.guypo.com\/introducing-lqip-low-quality-image-placeholders\" rel=\"noopener\">low<\/a>-, or <a href=\"https:\/\/cloudinary.com\/blog\/automatic_responsive_images_with_client_hints\" rel=\"noopener\">&#x2728;variable&#x2728;<\/a>-density images, without access to CSS or HTML. This is a situation that image hosts like my employer, <a href=\"https:\/\/cloudinary.com\" rel=\"noopener\">Cloudinary<\/a>, find themselves in quite often.<\/p>\n\n\n\n<p>So, we set out to give ourselves and the rest of the web a tool to modify the intrinsic size and resolution of images. After a couple of re-thinks, the solution that we landed on was this:<\/p>\n\n\n\n<ol><li>Browsers should read and apply metadata <em>contained within image resources themselves<\/em>, allowing them to declare their own intended display size and resolution.<\/li><li>Following in the recent footsteps of <code><a href=\"https:\/\/drafts.csswg.org\/css-images-3\/#the-image-orientation\" rel=\"noopener\">image-orientation<\/a><\/code> \u2014 by default, browsers would respect and apply this metadata. But you could override it or turn it off with a little CSS (<code><a href=\"https:\/\/drafts.csswg.org\/css-images-4\/#propdef-image-resolution\" rel=\"noopener\">image-resolution<\/a><\/code>), or markup (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Learn\/HTML\/Multimedia_and_embedding\/Responsive_images#Resolution_switching_Same_size_different_resolutions\" rel=\"noopener\"><code>srcset<\/code>\u2019s <code>x<\/code> descriptors<\/a>).<\/li><\/ol>\n\n\n\n<p>We felt pretty good about this. It was flexible, it built on an existing pattern, and it seemed to address all of the issues that had been raised against our previous proposals. Alas, one of the editors of the HTML spec, <a href=\"https:\/\/annevankesteren.nl\" rel=\"noopener\">Anne van Kesteren<\/a>, said: no. <a href=\"https:\/\/github.com\/whatwg\/html\/pull\/5574#issuecomment-638744707\" rel=\"noopener\">This wasn&#8217;t going to work<\/a>. And <a href=\"https:\/\/github.com\/w3c\/csswg-drafts\/issues\/5165\" rel=\"noopener\"><code>image-orientation<\/code> needed an urgent re-think, too<\/a>. Because this pattern, where you can turn the effects of EXIF metadata on and off with CSS and HTML, would violate the \u201c<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\" rel=\"noopener\">Same-Origin Policy<\/a>.\u201d<\/p>\n\n\n\n<p>Uh&#8230; what?<\/p>\n\n\n\n<p>Aren&#8217;t we just scaling and rotating images??<\/p>\n\n\n\n<p>Confession time! Before all of this, I&#8217;d more or less equated the Same-Origin Policy with <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CORS\" rel=\"noopener\">CORS<\/a> errors, and all of the frustration that they&#8217;ve caused me over the years. Now, though, the Same-Origin Policy wasn&#8217;t just standing between me and handling a <code>fetch<\/code>, it was holding up a major work initiative. And I had to explain the situation to bosses who knew even less about security and privacy on the web than I did. Time to learn!<\/p>\n\n\n\n<p>Here&#8217;s what I learned:<\/p>\n\n\n\n<ul><li>The Same-Origin Policy isn&#8217;t a single, simple, rule. And it certainly isn&#8217;t == CORS errors.<\/li><li>What it is, is a philosophy which has evolved over time, and has been inconsistently implemented across the web platform.<\/li><li>In general, what it says is: the fundamental security and privacy boundary of the web is <strong><a href=\"https:\/\/tools.ietf.org\/html\/rfc6454\" rel=\"noopener\">origins<\/a><\/strong>. Do you share an origin with something else on the web? You can interact with it however you like. If not, though, you might have to jump through some hoops.<\/li><li>Why &#8220;might?&#8221; Well, a lot of cross-origin interactions are allowed, by default! Generally, when you&#8217;re making a website, you can <strong>write<\/strong> across origins (by sending <code>POST<\/code> requests off to whoever you please, via forms). And you can even <strong>embed<\/strong> cross-origin resources (iframes, images, fonts, etc) that your site&#8217;s visitors will see, right there on your website. But what you can&#8217;t do, is look at those cross-origin resources, yourself. You shouldn&#8217;t be able to <strong>read<\/strong> anything about a cross-origin resource, in your JavaScript, without specially-granted permission (via our old friend, CORS).<\/li><li>Here&#8217;s the thing that blew my mind the most, once I finally understood it: cross-origin <strong>reads<\/strong> are forbidden by default because, as end-users, <em>we all see different world-wide webs<\/em>, and a website shouldn&#8217;t be able to see the rest of the web through its visitors&#8217; eyes. Individuals&#8217; varied local browsing contexts \u2013 including, but not limited to, cookies \u2014 mean that when I go to, say, gmail.com, I&#8217;m going to see something different than you, when you enter that same URL into your address bar and hit &#8220;return.&#8221; If other websites could fire off requests to Gmail from my browser, with my cookies, and read the results, well \u2013 that would be very, very bad!<\/li><\/ul>\n\n\n\n<p>So by default: you can do <em>lots<\/em> of things with cross-origin resources. But preventing cross-origin <em>reads<\/em> is kind of the whole ballgame. Those defaults are more-or-less what people are talking about when they talk about the &#8220;Same-Origin Policy.&#8221;<\/p>\n\n\n\n<p>How does this all relate to the intrinsic size and resolution of images?<\/p>\n\n\n\n<p>Let&#8217;s say there&#8217;s an image URL \u2013 <code>https:\/\/coolbank.com\/hero.jpg<\/code>, that happens to return a different resource depending on whether or not a user is currently logged in at coolbank.com. And let&#8217;s say that the version that shows up when you&#8217;re logged in, has some EXIF resolution info, but the version that shows up when you&#8217;re not, doesn&#8217;t. Lastly, let&#8217;s pretend that I&#8217;m an evil phisher-man, trying to figure out which bank you belong to, so I can spoof its homepage and trick you into typing your bank login info into my evil form.<\/p>\n\n\n\n<p>So! I embed <code>https:\/\/coolbank.com\/hero.jpg<\/code> on an evil page. I check its intrinsic size. I turn EXIF-sizing off, with <code>image-resolution: none<\/code>, and then check its size again. Now, even though CORS restrictions are preventing me from looking at any of the image&#8217;s pixel data, I know whether or not it contains any EXIF resolution information \u2014 I\u2019ve been able to read a little tiny piece of that image, across origins. And now, I know whether or not you&#8217;re logged into, and have an account at, coolbank.com.<\/p>\n\n\n\n<p>Far-fetched? Perhaps! But the web is an unimaginably large place. And, as Jen Simmons once put it,<\/p>\n\n\n\n<figure class=\"wp-block-embed-twitter wp-block-embed is-type-rich is-provider-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">This one of the best &amp; most important things about THE WEB. Go to a website, it\u2019s safe from malware. Download an app, you are at risk. You can\u2019t download random apps from random places. You can go to random websites, and expect to be safe. We must fight to keep the web like this. <a href=\"https:\/\/t.co\/xKQ5vVNCaU\">https:\/\/t.co\/xKQ5vVNCaU<\/a><\/p>&mdash; Jen Simmons (@jensimmons) <a href=\"https:\/\/twitter.com\/jensimmons\/status\/1237736255632429067?ref_src=twsrc%5Etfw\" rel=\"noopener\">March 11, 2020<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>Browsing the web is basically going around running other people&#8217;s untrusted and potentially malicious code, willy-nilly, all day long. The principles that underly web security and privacy \u2014 including the Same-Origin Policy \u2014 enable this safety, and must be defended absolutely. The hole we were unintentionally trying to open in the Same-Origin Policy seemed so small, at first. A few literal bits of seemingly-harmless information. But a cross-origin read, however small, is a cross-origin read, and cross-origin reads are <em>not allowed<\/em>.<\/p>\n\n\n\n<p>How did we fix our spec? We made EXIF resolution and orientation information un-readable across origins by making it un-turn-off-able: in cross-origin contexts, EXIF modifications are <em>always<\/em> applied. An 800\u00d7600 image whose EXIF says it should be treated as 400\u00d7300 will behave exactly like a 400\u00d7300 image, would, no matter what. A simple-enough solution \u2014 once we understood the problem.<\/p>\n\n\n\n<p>As a bonus, once I <em>really<\/em> understood the Same-Origin Policy and the <em>whys<\/em> behind the web&#8217;s default security policies, a bunch of other web security pieces started to fall into place for me.<\/p>\n\n\n\n<p><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/CSRF\" rel=\"noopener\">Cross-site request forgery<\/a> attacks take advantage of the fact that cross-origin <strong>writes<\/strong> are allowed, by default. If an API endpoint isn&#8217;t careful about how it responds to <code>POST<\/code> requests, bad things can happen. Likewise, <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CSP\" rel=\"noopener\">Content Security Policy<\/a> allows granular control over what sorts of <strong>embeds<\/strong> are allowed, because again, by default, they <em>all<\/em> are, and it turns out, that opens the door to <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/Cross-site_scripting\" rel=\"noopener\">cross-site scripting<\/a> attacks. And the new alphabet soup of web security features \u2014 <a href=\"https:\/\/github.com\/whatwg\/html\/pull\/5334\" rel=\"noopener\">COOP<\/a>, <a href=\"https:\/\/wicg.github.io\/cross-origin-embedder-policy\/\" rel=\"noopener\">COEP<\/a>, <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Cross-Origin_Resource_Policy_(CORP)\" rel=\"noopener\">CORP<\/a>, and <a href=\"https:\/\/www.chromium.org\/Home\/chromium-security\/corb-for-developers\" rel=\"noopener\">CORB<\/a> \u2014 are all about shutting down cross-origin interactions <em>completely<\/em>, fixing some of the inconsistent ways that the Same-Origin Policy has been implemented over the years and closing down any\/all possible cross-origin interaction, to achieve a rarefied state known as <a href=\"https:\/\/web.dev\/why-coop-coep\/\" rel=\"noopener\">&#8220;cross-origin isolation&#8221;<\/a>. In a world where <a href=\"https:\/\/en.wikipedia.org\/wiki\/Spectre_(security_vulnerability)\" rel=\"noopener\">Spectre<\/a> and friends mean that cross-origin loading can be exploited to perform cross-origin <em>reading<\/em>, full cross-origin isolation is needed to guarantee saftey when doing various, new, powerful things.<\/p>\n\n\n\n<p>In short:<\/p>\n\n\n\n<ul><li>Security and privacy on the web are actually pretty amazing, when you think about it.<\/li><li>They&#8217;re a product of the platform&#8217;s default policies, which are all about restricting interactions across <strong>origins<\/strong>.<\/li><li>By default, the one thing no one should ever be able to do is <strong>read<\/strong> data across origins (without special permission).<\/li><li>The reason reads are forbidden is that we all see different webs, and attackers shouldn&#8217;t be able to see the web through potential victims&#8217; eyes.<\/li><li>No ifs, ands, or buts! Any hole in the Same-Origin Policy, however small, is surface area for abuse.<\/li><li>In 2020, I tried to open a tiny hole in the Same-Origin Policy (oops), and then got to learn all of the above.<\/li><\/ul>\n\n\n\n<p>Here&#8217;s to a safer and more secure 2021, in every possible sense.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I spent a good chunk of my work life this year trying (in collaboration with the amazing Noam Rosenthal) to standardize a new web platform feature: a way to modify the intrinsic size and resolution of images. And hey! We did it! But boy, was it ever a learning experience. This wasn&#8217;t my first standardization [&hellip;]<\/p>\n","protected":false},"author":274819,"featured_media":331107,"comment_status":"open","ping_status":"closed","sticky":false,"template":"art-direction\/eoy-2020.php","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"sig_custom_text":"","sig_image_type":"featured-image","sig_custom_image":0,"sig_is_disabled":false,"inline_featured_image":false,"c2c_always_allow_admin_comments":false,"footnotes":"","jetpack_publicize_message":"I learned to love the Same-Origin Policy by @etportis","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[4,18863],"tags":[],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2020\/12\/Screen-Shot-2020-12-17-at-8.05.36-AM.png?fit=2098%2C958&ssl=1","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/330184"}],"collection":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/users\/274819"}],"replies":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/comments?post=330184"}],"version-history":[{"count":7,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/330184\/revisions"}],"predecessor-version":[{"id":331109,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/330184\/revisions\/331109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/media\/331107"}],"wp:attachment":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/media?parent=330184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/categories?post=330184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/tags?post=330184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}