Reporting #585
Comments
|
I think sending credentials here is a problem, when it comes to dealing with cross-site tracking. Either we only send SameSite=None cookies (which will be removed in the forseeable future), and will break everyone relying on credentialed reports, or we send SameSite=Lax/Strict cookies, which allows cross-site tracking. We also need to specify the Network Partition Key used for the upload, and the scope of data stored by the reporting API (likely also keyed on the Network Partition Key, again, to protect against cross-site tracking - a site could use a unique ID in the Report-To URL to track individual users). Chromium already has code, not yet enabled on stable, to both key reporting information and uploaded reports on the network partition key either of the original request (NEL, learning report-to information), or of the frame associated with a report. |
|
Sorry, I may make misunderstood the spec (influenced by Chromium's implementation) - is Report-To information now scoped to a document, so there's no global cache of Report-To information? That addresses all my concerns. It would inherit Same-Site-ness from the document, and could act like a normal subresource request. |
|
That is correct, everything covered by the Reporting API should be document-scoped. Reporting endpoint configuration is ephemeral, and reports from separate documents should not be sent together in the same POST request, even if they are coming from the same origin. (There's an open question there — whether it's okay to bundle together reports from different same-origin documents, as long as they are in a single agent cluster, but currently the spec does not allow that.) NEL is a different case, and isn't covered by the base reporting API. There is an extension to the spec, https://w3c.github.io/reporting/network-reporting.html, which allows for persistent configuration, but that will be a separate TAG review, and will certainly need to take your comments into consideration. |
|
That's great - thanks so much for setting me straight! Then this feature seems totally fine to me, as specced. |
|
@LeaVerou, @plinss and myself looked at our "Kronos" virtual f2f. It would great to have the following issues addressed:
|
|
Thanks for taking the time to look at this, @atanassov! I'll try to address each of those questions here -- note that some of these points have already been addressed as part of the TAG review of ReportingObserver mentioned in the 'You should also know that' section. As a general point, I'm not sure what you mean when you've used the word 'endpoint' -- in the spec, a reporting endpoint is the location of an HTTP server which can accept POST requests containing reports. I feel like you're using it to mean something different here, so if I've misunderstood your questions, let me know and I'll try to clarify.
Probably not, and this is by design -- the API is a generic framework for other other specs to use to achieve consistent reporting across features. I would prefer to evaluate this API on its own merits, based on what it can and cannot enable, rather than the specific list of current integrations. That said, I can understand that it's difficult to do that completely out of context. The current list of APIs which use this framework for reporting are:
(I hope I haven't missed any, but I'll comment if I find new ones)
Linked above at https://github.com/w3c/reporting/blob/master/security-and-privacy-questionnaire.md
The purpose of the reporting framework is to allow reports to be sent over HTTP to remote servers. Cross-origin and third-party servers are included by design, under the belief that:
I'm not sure what you mean here -- endpoints are the URLs / servers to which reports are sent. They don't have types, unless you're drawing a 1p/3p distinction, or categorizing them by the types of reports which they choose to accept. Can you clarify this question?
There was discussion on this when ReportingObserver was designed, although I wasn't part of those discussions at the time (@juliatuttle or @RByers may have additional historical context). I do believe that an observer would be preferable to an event, to support batching (reports are delivered as a list,) post hoc reporting (observers can be registered to retrieve reports from events which happened before they were created, which is useful for early-page-load events,) and to make it easy to write handlers for just some subset of report types. Additionally, the event infrastructure introduces complications such as bubbling, and can require coordination between multiple listeners, neither of which is useful here.
Not currently -- there are no free-form user-generated reports. The closest thing that exists is the test-driver-only generateTestReport API. However, it is not impossible for another spec to integrate in that way; nothing in this API prevents that. I suspect that would require a lot more scrutiny, for the possible XSS / injection issues at least. Is the TAG aware of other issues that would mean that we should strongly discourage such things?
No, by design there is an allowance for reports which are not visible. This can be just by necessity (crash reports, for instance), or it might be important for privacy, if there are cases where it's not advisable for the page to have immediate, real-time script access to user events.
This was discussed in w3c/reporting#72, and I think that the decision was made to follow the TAGs recommendations wherever possible, but that in some cases (CSP reports, for instance,) backwards-compatibility issues meant keeping camelCase identifiers. |
torgo
added
the
privacy-tracker
|
This seems related (we did an early review before) #419 |
|
We discussed in today's breakout just now and agreed we need a dedicated breakout to delve into this issue further. Tentatively scheduled for breakout slot A next week. Action on me to make that happen. |
|
@ylafon and I took a look at this during our virtual F2F, thank you for filling the Security and Privacy questionnaire and for your response to our earlier comments. At this point we don't have any further comment on this, this looks OK to proceed. Thanks! |
plinss
added
Resolution: satisfied
|
Thanks for the review! |
HIQaH! QaH! TAG!
I'm requesting a TAG review of the Reporting API.
The Reporting API is a mechanism for web servers to tell browsers where to send errors and other information about a browsing session.
Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/reporting/blob/master/EXPLAINER.md
Specification URL: https://w3c.github.io/reporting/
Tests: Generic tests, but also feature integration tests
Security and Privacy self-review²: https://github.com/w3c/reporting/blob/master/security-and-privacy-questionnaire.md
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/reporting/
Primary contacts (and their relationship to the specification):
Organization(s)/project(s) driving the specification: Google
Key pieces of existing multi-stakeholder review or discussion of this specification:
The Reporting API has been discussed within WebPerfWG several times; TPAC 2019 minutes, TPAC 2020 minutes, as well as issues such as Feedback from Mozilla w3c/reporting#158 and Privacy concerns regarding Reporting API w3c/reporting#169, which have resulted in a reduced scope for the specification and changes to the header.
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
Further details:
You should also know that, while the Reporting API has shipped in Chrome for some time, and several features have integrated with it, and ReportingObserver has been reviewed by TAG, the API as a whole was never reviewed. This is relevant now as changes have been made to the scope of the API, as well as the header used and its syntax, which Chrome is looking to ship.
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
The text was updated successfully, but these errors were encountered: