Tool retrieval: wildcard or not

[domfarolino]

Chromium has implemented document.modelContext.getTools(), which I'm planning to spec, but we should discuss an important security implication before doing so.

As planned (and as currently implemented), getTools() resolves to a list of all tools that a Document has access to, controlled only by those that choose to register tool for the caller of getTools(). If in a frame tree, if both Evil.com and Victim.com have the tools permission, then Evil.com can "inject" tools into Victim.com's getTools() list, without Victim.com ever knowing about Evil.com or opting-in to see tools from that origin.

The onus is on Victim.com to manually check the tool's origin to see if it trusts the vendor of the tool, just like postMessage(): the onus is on the recipient of the message, to vet the sender's origin. Some of the web platform security folks we've been talking to believe it's best to force the caller of getTools() to supply a list of origins that it would like to see tools from, effectively making the resolved list the intersection of:

• Tools that have been explicitly exposed to the getTools() caller's origin; and
• Tools from the set of origins that the caller passes to getTools()

We were planing to add * wildcard as a supported value to the exposedTo array, so that the provider of a tool can send it to everyone. We should figure out how the proposal of locking down getTools() intersects with that. There are a few options:

1. Same-origin default; opt-in wildcard
   • getTools() defaults to showing same-origin tools only
   • registerTool() defaults to exposing tools to same-origin, if exposedTo isn't included
   • Both support the * wildcard, so you can expose and receive tools from any origins, if you so dare to
2. No wildcard; only explicit origin sharing/calling
   • Same defaults as above, but neither support wildcard. All tool sharing/invoking has to be via explicit origin
3. Something in between
   • exposedTo doesn't support wildcard (this matches the spec today), but getTools() defaults to *, and the caller is responsible for vetting each tool's origin before running

(1) Is ultra usable, and supports the most use cases. (2) Is ultra secure, but requires explicit origin negotiation probably through postMessage(), and probably means JS agents/tool vendors will need to ship down static origin allowlists to approve/deny embedders and tools on the fly. This is tedious and might seriously hurt adoption, especially for third-party agents that are meant to be embedded on thousands of sites, and accept tools from thousands of origins. (3) This is a little—exposedTo is more secure that postMessage()'s targetOrigin since it doesn't allow *, but getTools() is just as secure as onmessageevent handlers, since the onus is on the tool retriever to vet the supplier of the tool. Probably this option is weird and no more secure than postMessage() today.

I personally would love to see us go with (1)—it's safe by default, but maximally useful/open when users of both sides of the tool ecosystem choose to be.

/cc @johannhof @camillelamy

[johannhof]

I'd like to understand what potential use cases we see for using registerTool with "*" that fit the security model of a rational web developer. Exposing tools to any site on the web with an active user session is virtually guaranteed to lead to CSRF by random sites. So they would have to do some form of origin validation anyway, no?

Exposing unauthenticated tools is definitely a lot safer (albeit not quite since the result could still be surfaced to the user in the tool registering site somehow), but also seems a lot less attractive overall. The whole point of this is that it happens in a browser which can carry state, handle authentication, show UI to the user, etc., right? Otherwise it's just an API call.

[domfarolino]

I think the Shopify use case might be relevant. From talking with @yoavweiss I understand that there may be an in-page agent in a merchant site's top-level origin, running a set of common tools exposed by a tools.shopify.com iframe. This iframe gets embedded by all Shopify sites. I'm sure that iframe has some general embedder protections (maybe CSP frame-ancestors validated on the server, or something). But since there are tens of thousands of Shopify sites, I'm not sure they'd want to include that long of a list directly in JavaScript to pass into registerTool() so that the tools work on valid merchant sites. Also it might not be feasible to update client-side assets like that every single time a Shopify website is added/removed from the internet. That seems hard to keep in sync.

[yoavweiss]

Caveat: these are all hypothetical use cases I can see play out. None of this is necessarily something Shopify is shipping or intending to ship :)

I think it makes sense to distinguish "" for registerTool vs. "" for getTool.

For registerTool the use case for "*" is exactly what @domfarolino pointed out - an iframe that wants to expose tools working on data it has to either the top-level frame or an iframe-based in-page agent.

An iframe in such a position definitely needs the ability to only expose data to a well-known origin (e.g. "what product categories the user is typically interested in" can be sensitive info, and may be something the iframe only exposes to a trusted in-frame in-page agent).

But it may also have tools that it fine with sharing to any top-level origin or iframe origin (e.g. "what related products does this store have compared to the current product" in the merchant use case). I can see the same need with publisher's 3P providers (e.g. "Related content a user reading this may also like").

For getTools(), an in-page agent can convey their trust of the tools exposed by 3P. Obviously, it can trust only same-origin tools (the default), or tools from some origins. But it can also say "I trust any tools exposed to me", and assume that the top-level page set its permission-policies correctly and that untrusted iframes have no permissions to publish tools that may do something malicious (e.g. steal user data).