Add API for blocking clear text HTTP connections

[feinstein]

Dart uses sockets in order to make its HTTPS requests, which means any enforced HTTPS policies forced by the OS will be ineffective and won't work if we are using the dart HTTP stack.

An app can have multiple sources that trigger an HTTP request, many of those we can't control as they can be in a third party library.

Currently we can force HTTPS only connections passing this zone configuration to a Flutter app:

zoneValues: {#flutter.io.allow_http: false},

But I couldn't find this documented anywhere, thus could be changed at any time, so it's not a strong and guaranteed solution.

I this this configuration should be documented and also we should have a higher level mechanism for configuring it and not having to rely on Zone configurations for dealing with the HTTP stack configurations.

(Migrated from: flutter/flutter#95341)

[Markzipan]

Pinging @brianquinlan for this feature request!

[a-siva]

An app can have multiple sources that trigger an HTTP request, many of those we can't control as they can be in a third party library.

@feinstein by app here are you referring to a flutter app or any standalone Dart app too ?

[feinstein]

In theory this applies to any dart application. If I add a logging library to a pure dart app, that library can send logs through HTTP.

I think this is a bigger problem for Flutter applications, because mobile developers are used to restrict HTTPS connections in the native mechanisms (e.g. the Android app's Manifest), but this doesn't work for Flutter apps, so the devs think their apps are hardened and protected, but they are not.

[brianquinlan]

A quick explanation of how the current mechanism works:

HttpClient calls _httpConnectionHook when connecting to a URL:

  Future<_HttpClientRequest> _openUrl(String method, Uri uri) {
    ...
    _httpConnectionHook(uri);
   }

Flutter Engine defines the close hook:

/// Loopback connections are always allowed.
/// Zone override with 'flutter.io.allow_http' takes first priority.
/// If zone override is not provided, engine setting is checked.
@pragma('vm:entry-point')
void Function(Uri) _getHttpConnectionHookClosure(bool mayInsecurelyConnectToAllDomains) {
  return (Uri uri) {
      final Object? zoneOverride = Zone.current[#flutter.io.allow_http];
      if (zoneOverride == true) {
        return;
      }
      if (zoneOverride == false && uri.isScheme('http')) {
        // Going to _isLoopback check before throwing
      } else if (mayInsecurelyConnectToAllDomains || uri.isScheme('https')) {
        // In absence of zone override, if engine setting allows the connection
        // or if connection is to `https`, allow the connection.
        return;
      }
      // Loopback connections are always allowed
      // Check at last resort to avoid debug annoyance of try/on ArgumentError
      if (_isLoopback(uri.host)) {
        return;
      }
      throw UnsupportedError(
        'Non-https connection "$uri" is not supported by the platform. '
        'Refer to https://flutter.dev/docs/release/breaking-changes/network-policy-ios-android.');
    };
}

And Flutter Engine installs _getHttpConnectionHookClosure here:

void DartIO::InitForIsolate(bool may_insecurely_connect_to_all_domains,
                            const std::string& domain_network_policy) {
  Dart_Handle io_lib = Dart_LookupLibrary(ToDart("dart:io"));
  Dart_Handle result = Dart_SetNativeResolver(io_lib, dart::bin::LookupIONative,
                                              dart::bin::LookupIONativeSymbol);
  FML_CHECK(!CheckAndHandleError(result));

  Dart_Handle ui_lib = Dart_LookupLibrary(ToDart("dart:ui"));
  Dart_Handle dart_validate_args[1];
  dart_validate_args[0] = ToDart(may_insecurely_connect_to_all_domains);
  Dart_Handle http_connection_hook_closure =
      Dart_Invoke(ui_lib, ToDart("_getHttpConnectionHookClosure"),
                  /*number_of_arguments=*/1, dart_validate_args);
  FML_CHECK(!CheckAndHandleError(http_connection_hook_closure));
  Dart_Handle http_lib = Dart_LookupLibrary(ToDart("dart:_http"));
  FML_CHECK(!CheckAndHandleError(http_lib));
  Dart_Handle set_http_connection_hook_result = Dart_SetField(
      http_lib, ToDart("_httpConnectionHook"), http_connection_hook_closure);
  FML_CHECK(!CheckAndHandleError(set_http_connection_hook_result));
}

[brianquinlan]

What kind of API should we add to Dart?

I could imagine a new static field in HttpClient like:

class HttpClient {
  static set connectionFilter(Function(Uri uri) filter) => _filter = filter;
  static Function(Uri uri)  get connectionFilter => _filter;
}

And we'd modify _openUrl to call it.

You would have to ensure that you set this up per-Isolate and there is no way to do so automatically for non-embedders.

One pragmatic approach for users would be to just use a platform-native library (e.g. package:cupertino_http on iOS and package:cronet_http on Android) that will honor your configuration.

[feinstein]

Well, IMO your point regarding isolates is a crucial one and this would be a strong indication that Flutter should add a more easy-to-use API for configuring this, since the embedder is the only one who can assure this security feature. My original issue was for Flutter, but they asked me to move it to the Dart SDK repo.

@Hixie since we can't create a solution that is safe and can work across isolate spans using the dart sdk alone, I think this issue should be reopened on the Flutter repo side, so we could create a function to setup the HTTP clear text blocking, making it easier to pass this information to the Flutter engine, instead of using the more cryptic zone settings.

@brianquinlan Another suggestion that might help simplify this: could we have a shared configuration between all isolates? A unmodifiable object that we configure per application and all isolates have access to these shared memory of simple objects. This could help to abstract away the need for a zone configuration and the embedder, having this code on multiple levels and languages, since all Isolates will have access to this unmodifiable object. It won't solve the issue, but it could help to simplify the solution, since it could dart only in the future.

[brianquinlan]

I'll add a comment on flutter/flutter#95341

[brianquinlan]

@brianquinlan Another suggestion that might help simplify this: could we have a shared configuration between all isolates? A unmodifiable object that we configure per application and all isolates have access to these shared memory of simple objects. This could help to abstract away the need for a zone configuration and the embedder, having this code on multiple levels and languages, since all Isolates will have access to this unmodifiable object. It won't solve the issue, but it could help to simplify the solution, since it could dart only in the future.

Sharing configuration between Isolates would be a big discussion because the entire conceptual model behind isolates is that they don't share state. I'd be curious to know if there are Dart-without-Flutter use cases for this sort of functionality.

[mateusfccp]

Sharing configuration between Isolates would be a big discussion because the entire conceptual model behind isolates is that they don't share state. I'd be curious to know if there are Dart-without-Flutter use cases for this sort of functionality.

I'm not sure I would consider configuration and state as equivalent...