Page MenuHomePhabricator
Create Task
Maniphest T209572

Feature Policy Reporting origin trial
Closed, ResolvedPublic
Actions

Description

https://developers.google.com/web/updates/2018/06/feature-policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

combined with

https://www.w3.org/TR/reporting/

Of particular interest:
sync-xhr https://www.chromestatus.com/feature/5154875084111872
document-write https://github.com/WICG/feature-policy/blob/master/policies/document-write.md
unsized-media https://github.com/WICG/feature-policy/blob/master/policies/unsized-media.md

Origin trial running until July 24, Chrome 73-75: https://github.com/w3c/webappsec-feature-policy/blob/master/reporting.md

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Gilles created this task.Nov 15 2018, 9:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2018, 9:28 AM
Gilles added a comment.Nov 19 2018, 12:45 PM

While the Feature policies have been implemented in Chrome some time ago, and the reporting feature added as well, the "report only" mode hasn't been implemented yet:

Capture d'écran 2018-11-19 13.36.53.png (148×1 px, 52 KB)

Tests have been added a few days ago: https://chromium.googlesource.com/chromium/src/+/f482e77e59ef0a506e745182ca6843080cd8d1ea but as far as I can tell in Canary, the feature doesn't work yet.

Gilles claimed this task.Nov 19 2018, 12:45 PM
Gilles triaged this task as Medium priority.
Gilles changed the task status from Open to Stalled.Nov 19 2018, 12:48 PM
Gilles moved this task from Inbox, needs triage to Blocked (old) on the Performance-Team board.Nov 19 2018, 9:12 PM
Gilles added a comment.Feb 5 2019, 9:27 AM

Should be available as an Origin Trial soon: https://bugs.chromium.org/p/chromium/issues/detail?id=867471#c19

Gilles changed the task status from Stalled to Open.Feb 19 2019, 9:46 PM
Gilles updated the task description. (Show Details)
Gilles moved this task from Blocked (old) to Doing (old) on the Performance-Team board.
Gilles renamed this task from Use Feature Policies in Report-Only mode to detect bad practices to Feature Policy Reporting origin trial.Feb 20 2019, 8:42 AM
Gilles added a parent task: T216595: Add Origin Trial support to MediaWiki.
Gilles updated the task description. (Show Details)Feb 20 2019, 8:56 AM
gerritbot subscribed.Mar 7 2019, 3:31 PM

Change 494959 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/core@master] [WIP] Reporting API and Feature Policy reporting support

https://gerrit.wikimedia.org/r/494959

gerritbot added a project: Patch-For-Review.Mar 7 2019, 3:31 PM
Gilles added a comment.Mar 7 2019, 3:32 PM

Tried it with sync-xhr, couldn't get it to work. Left a comment on the Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=867471&can=2&start=0&num=100&q=&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&groupby=&sort=

This is why the patch is marked as WIP for now, maybe I got something wrong with the syntax?

Krinkle added a project: Security-Team.Mar 8 2019, 1:56 AM
Krinkle added subscribers: JBennett, Krinkle.Mar 8 2019, 2:03 AM

@JBennett FYI, we're experimenting with two new browser features.

  1. "Origin Trials" is a meta feature of Google Chrome, it's how they ship experimental features to a select audience (opt-in) with an expiry for when it turns itself off again.
  2. "Feature Policy", is meta feature being worked on by W3C webappsec, it revolves around a header (kind of like CSP) which allows sites to disable JavaScript APIs normally exposed by the browser (examples).

The Feature Policy API itself is experimental (W3C draft), and shipped in Chrome stable as an origin trial.

gerritbot added a comment.Mar 19 2019, 1:18 PM

Change 494959 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/core@master] Reporting API and Feature Policy reporting support

https://gerrit.wikimedia.org/r/494959

Gilles mentioned this in T218618: Add no-transform to Cache-Control header.Mar 21 2019, 12:04 PM
gerritbot added a comment.Mar 28 2019, 6:59 AM

Change 499709 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Enable various origin trials

https://gerrit.wikimedia.org/r/499709

gerritbot added a comment.Mar 28 2019, 6:59 AM

Change 499710 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Update origin trials tokens

https://gerrit.wikimedia.org/r/499710

gerritbot added a comment.Mar 28 2019, 7:11 AM

Change 499709 merged by jenkins-bot:
[mediawiki/vagrant@master] Enable various origin trials

https://gerrit.wikimedia.org/r/499709

gerritbot added a comment.Mar 28 2019, 7:19 AM

Change 499710 merged by jenkins-bot:
[mediawiki/vagrant@master] Update origin trials tokens

https://gerrit.wikimedia.org/r/499710

gerritbot added a comment.Apr 13 2019, 4:50 PM

Change 494959 merged by jenkins-bot:
[mediawiki/core@master] Reporting API and Feature Policy reporting support

https://gerrit.wikimedia.org/r/494959

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.1; 2019-04-16).Apr 13 2019, 5:00 PM
Gilles removed a project: Patch-For-Review.Apr 13 2019, 6:28 PM
gerritbot added a comment.May 1 2019, 12:59 PM

Change 507555 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/mediawiki-config@master] Enable Feature Policy Reporting origin trial

https://gerrit.wikimedia.org/r/507555

gerritbot added a project: Patch-For-Review.May 1 2019, 12:59 PM
gerritbot added a comment.May 1 2019, 1:03 PM

Change 507555 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable Feature Policy Reporting origin trial

https://gerrit.wikimedia.org/r/507555

gerritbot added a comment.May 1 2019, 1:10 PM

Change 507559 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/mediawiki-config@master] Fix syntax of wgFeaturePolicyReportOnly fields

https://gerrit.wikimedia.org/r/507559

gerritbot added a comment.May 1 2019, 1:12 PM

Change 507559 merged by jenkins-bot:
[operations/mediawiki-config@master] Fix syntax of wgFeaturePolicyReportOnly fields

https://gerrit.wikimedia.org/r/507559

Gilles added a comment.May 1 2019, 1:23 PM

Submitted an upstream issue: https://github.com/w3c/webappsec-feature-policy/issues/305

gerritbot added a comment.May 1 2019, 1:24 PM

Change 507563 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/mediawiki-config@master] Remove unsupported wgFeaturePolicyReportOnly types

https://gerrit.wikimedia.org/r/507563

gerritbot added a comment.May 1 2019, 1:26 PM

Change 507563 merged by jenkins-bot:
[operations/mediawiki-config@master] Remove unsupported wgFeaturePolicyReportOnly types

https://gerrit.wikimedia.org/r/507563

Stashbot added a comment.May 1 2019, 1:31 PM

Mentioned in SAL (#wikimedia-operations) [2019-05-01T13:31:45Z] <gilles@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T209572 Enable Feature Policy Reporting origin trial (duration: 01m 01s)

Gilles added a comment.May 1 2019, 1:36 PM

The API is definitely working, we're getting reports of sync XHRs. Unfortunately since the reports are sent as POSTS, varnishlog alone can't let us inspect the contents, as it's unable to look at POST request bodies (because those aren't cacheable, by definition). In order to see what we're actually getting, we need to set up a Varnish backend for this.

Gilles added a comment.May 1 2019, 1:45 PM

Hah, actually a workaround is to set up a ReportingObserver, and then we could ship them with EventLogging. Obviously this only works for reports like sync-xhr where the page actually works. But this allows us to look at sync-xhr without having to set up the whole infrastructure required to capture all report types via the reporting endpoint.

Gilles added a comment.May 1 2019, 1:49 PM

We might even be able to disable the endpoint for now, I'll check if the observer gets the report without the report-to header being set.

gerritbot added a comment.May 1 2019, 1:51 PM

Change 507571 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/mediawiki-config@master] Disable Reporting API endpoint

https://gerrit.wikimedia.org/r/507571

gerritbot added a comment.May 1 2019, 1:54 PM

Change 507571 merged by jenkins-bot:
[operations/mediawiki-config@master] Disable Reporting API endpoint

https://gerrit.wikimedia.org/r/507571

Gilles added a comment.May 1 2019, 1:56 PM

Indeed, the observer can work without the reporting endpoint. This will be sufficient for this origin trial. And we have a pretty good idea now of what kind of pipeline we'll need when we want to collect actual Reporting API reports.

Stashbot added a comment.May 1 2019, 1:57 PM

Mentioned in SAL (#wikimedia-operations) [2019-05-01T13:57:50Z] <gilles@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T209572 Disable Reporting API endpoint (duration: 00m 59s)

gerritbot added a comment.May 4 2019, 5:12 PM

Change 507584 had a related patch set uploaded (by Krinkle; owner: Gilles):
[mediawiki/extensions/NavigationTiming@master] Observe and report feature policy violations

https://gerrit.wikimedia.org/r/507584

gerritbot added a comment.May 12 2019, 12:49 PM

Change 509630 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Renew origin trial tokens

https://gerrit.wikimedia.org/r/509630

gerritbot added a comment.May 13 2019, 6:14 PM

Change 509630 merged by jenkins-bot:
[mediawiki/vagrant@master] Renew origin trial tokens

https://gerrit.wikimedia.org/r/509630

Gilles raised the priority of this task from Medium to High.May 27 2019, 5:04 AM
gerritbot added a comment.Jun 13 2019, 4:06 PM

Change 507584 merged by jenkins-bot:
[mediawiki/extensions/NavigationTiming@master] Observe and report feature policy violations

https://gerrit.wikimedia.org/r/507584

ReleaseTaggerBot edited projects, added MW-1.34-notes (1.34.0-wmf.10; 2019-06-18); removed MW-1.34-notes (1.34.0-wmf.1; 2019-04-16).Jun 13 2019, 5:00 PM
Gilles removed a project: Patch-For-Review.Jun 19 2019, 2:10 PM
Gilles added a comment.EditedJun 19 2019, 2:20 PM

We should start getting reports onces eswiki and ruwiki have moved onto wmf.10 tomorrow

Krinkle moved this task from Doing (old) to To-do: Goals prioritized current Quarter on the Performance-Team board.Aug 6 2019, 1:11 AM
Gilles added a comment.EditedAug 20 2019, 5:00 PM

We have sync-xhr reports, as expected. For the most part (%) they come from Chrome extensions.

This one comes up a lot: https://chrome.google.com/webstore/detail/s3translator/debnnjfbneojbmioajinefnflopdohjk?hl=en

I'm also seeing some weird source files hosted on 3rd-parties: https://sfops.ru/xxxoxx/23f84e9c86281c112ece8d87854dd435/ru.wikipedia.org?ref=ru.wikipedia.org&adb=false&ref_path=%252Fwiki%252F%2525D0%25259F%2525D0%2525B0%2525D1%252580%2525D0%2525BB%2525D0%2525B0%2525D0%2525BC%2525D0%2525B5%2525D0%2525BD%2525D1%252582%2525D1%252581%2525D0%2525BA%2525D0%2525B8%2525D0%2525B5_%2525D0%2525B2%2525D1%25258B%2525D0%2525B1%2525D0%2525BE%2525D1%252580%2525D1%25258B_%2525D0%2525BD%2525D0%2525B0_%2525D0%2525A3%2525D0%2525BA%2525D1%252580%2525D0%2525B0%2525D0%2525B8%2525D0%2525BD%2525D0%2525B5_(2019)&r=1563812951317

https://aldamva.ru/xxxoxx/25d02a4c13429dfd313ce11b0d90b47e/ru.wikipedia.org?ref=ru.wikipedia.org&adb=false&ref_path=%252Fwiki%252F%2525D0%252591%2525D1%25258B%2525D1%252581%2525D1%252582%2525D1%252580%2525D0%2525B8%2525D1%252586%2525D0%2525BA%2525D0%2525B0%2525D1%25258F%252C_%2525D0%2525AD%2525D0%2525BB%2525D0%2525B8%2525D0%2525BD%2525D0%2525B0_%2525D0%252590%2525D0%2525B2%2525D1%252580%2525D0%2525B0%2525D0%2525B0%2525D0%2525BC%2525D0%2525BE%2525D0%2525B2%2525D0%2525BD%2525D0%2525B0&r=1561915117425

That second one gets flagged as a phishing site by cloudflare.

Looks like code to inject ads. I wonder if it's also coming from a nasty Chrome extension that injects ads into the page. I'm seeing a lot of Chrome extension whose hash isn't found on the Chrome web store, so that really smells like virus/adware.

Some Kaspersky stuff: https://gc.kis.scr.kaspersky-labs.com/1B74BD89-2A22-4B93-B451-1C9E1052A0EC/main.js

This might come from an extension as well.

A user script shows up: https://ru.wikipedia.org/w/index.php?title=User:%D0%9C%D0%B0%D1%81%D1%82%D0%B5%D1%80_%D1%82%D0%B5%D0%BD%D0%B5%D0%B9/%D0%9F%D0%BE%D0%BC%D0%BE%D1%89%D0%BD%D0%B8%D0%BA_%D0%BF%D0%B0%D1%82%D1%80%D1%83%D0%BB%D1%8F.js&action=raw&ctype=text/javascript nothing surprising there.

Finally, a lot of the entries don't have a "sourceFile" value, suggesting that it came from JS on the page. I'll look at those next to see if there's any pattern.

Gilles added a comment.Aug 20 2019, 5:42 PM

Looking at entries without sourceFile attribution, I notice that there are some patterns in terms of line/column number. Here are the most common:

linenumber columnnumber count
1 72 486
1 100 179
2 95 105
3 72 48
11 95 56
12 95 50
28 13 854
122 95 14

When opening the articles that these reports are coming from, I'm not seeing any sync xhr on pageload.

Looking at the most common one (28/13), it seems like it tends to have multiple sync xhrs per pageload, as I'm seeing only 227 distinct pageviewToken values for it.

Given the prominence of what looks like adware in reports that do get attribution, I'm going to guess that it's more of the same.

I haven't been able to find any occurrence of a sync xhr that seemed to come from our code. Reports are coming from anonymous users, which makes it unlikely that the xhr is a result of page interaction.

Gilles closed this task as Resolved.Aug 20 2019, 5:45 PM

This will be a useful API when released, particularly when it starts supporting other types of reports. However, it's likely that the bulk of the reports will be coming from browser extensions, adware, etc.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Aug 30 2019, 4:11 PM
Bawolff subscribed.Dec 15 2019, 5:56 PM
Bawolff added a comment.Dec 15 2019, 6:02 PM

CSP is moving to using the reports-to header. At some point it might make sense to make our CSP reporting use this style of report-to with the varnishkafka beacon instead of the current solution involving the api module.

sbassett moved this task from Our Part Is Done to Watching on the Security-Team board.Dec 16 2019, 4:01 PM
Krinkle added a comment.Apr 12 2023, 5:16 AM

Remove redundant wgOriginTrials and wgFeaturePolicyReportOnly settings
https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/891314

gerritbot added a comment.Apr 12 2023, 5:28 AM

Change 908018 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/extensions/NavigationTiming@master] Remove FeaturePolicyViolation instrumentation

https://gerrit.wikimedia.org/r/908018

gerritbot added a project: Patch-For-Review.Apr 12 2023, 5:28 AM
gerritbot added a comment.Apr 12 2023, 9:41 PM

Change 908018 merged by jenkins-bot:

[mediawiki/extensions/NavigationTiming@master] Remove FeaturePolicyViolation instrumentation

https://gerrit.wikimedia.org/r/908018

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.5; 2023-04-17).Apr 12 2023, 10:00 PM
gerritbot added a comment.Apr 13 2023, 12:30 AM

Change 908382 had a related patch set uploaded (by Krinkle; author: Krinkle):

[operations/puppet@production] eventlogging: Remove unused FeaturePolicyViolation schema

https://gerrit.wikimedia.org/r/908382

gerritbot added a comment.Nov 21 2023, 5:18 PM

Change 908382 merged by RLazarus:

[operations/puppet@production] eventlogging: Remove obsolete FeaturePolicyViolation schema

https://gerrit.wikimedia.org/r/908382

gerritbot added a comment.Nov 21 2023, 7:10 PM

Change 976303 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/puppet@production] refine - Put SpecialMuteSubmit and FeaturePolicyViolation in eventlogging analytics exclude list

https://gerrit.wikimedia.org/r/976303

gerritbot added a comment.Nov 21 2023, 7:17 PM

Change 976303 merged by Ottomata:

[operations/puppet@production] refine - Put SpecialMuteSubmit and FeaturePolicyViolation in exclude list

https://gerrit.wikimedia.org/r/976303

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL