Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kick Those Scripts to the Sandbox @ DC JavaScript

Kick Those Scripts to the Sandbox @ DC JavaScript

Do you want Tweets or your latest Instagram food picture to display nicely in your site? Just load this third-party script into your site — never mind what it does! … err, what’s the difference between third-party scripts and a cross-site scripting attack again? Can’t third-party scripts steal user credentials, track users without their consent, and hijack your site for advertising purposes? In this talk, we’ll discuss different ways of sandboxing these scripts to increase your site’s security, stability, and protect the privacy of your users. You’ll leave with an understanding of the latest browser features designed to protect you and your users.

Andrew Dunkman

April 11, 2019
Tweet

More Decks by Andrew Dunkman

Other Decks in Technology

Transcript

  1. Kick those 

    to the sandbox
    Andrew Dunkman
    @adunkman

    View full-size slide

  2. 1
    Trust 

    and 

    security 

    on the 

    web
    2
    Malvertising 

    & the 

    principle 

    of least 

    privilege
    3
    extending 

    the 

    browser 

    sandbox

    View full-size slide

  3. 1
    Trust 

    and 

    security 

    on the 

    web

    View full-size slide

  4. 1
    Trust and security 

    on the web

    View full-size slide

  5. 1
    Trust and security 

    on the web
    Download this app!

    View full-size slide

  6. 1
    Trust and security 

    on the web
    Download this app!

    View full-size slide

  7. 1
    Trust and security 

    on the web
    Download this app!

    View full-size slide

  8. 1
    Trust and security 

    on the web
    Download this app!

    View full-size slide

  9. 1
    Trust and security 

    on the web
    Go to this site!
    https://www.google.com

    View full-size slide

  10. 1
    Trust and security 

    on the web
    Go to this site!
    https://www.weather.gov

    View full-size slide

  11. 1
    Trust and security 

    on the web
    Go to this site!
    https://rebecca.blackfriday

    View full-size slide

  12. 1
    Trust and security 

    on the web
    Go to this site!
    https://.la

    View full-size slide

  13. 1
    Trust and security 

    on the web

    View full-size slide

  14. 1
    Trust and security 

    on the web
    Web security model basics
    Site scripts cannot access sensitive parts of your device.

    Downloaded content can’t be too large, and can be
    deleted at any time.

    Pages and scripts on the same site can communicate,
    but cannot communicate with different sites.

    View full-size slide

  15. 1
    Trust and security 

    on the web
    Web security model basics
    Site scripts cannot access sensitive parts of your device.

    Downloaded content can’t be too large, and can be
    deleted at any time.

    Pages and scripts on the same site can communicate,
    but cannot communicate with different sites.
    Sandbox’d!

    View full-size slide

  16. 1
    Trust and security 

    on the web
    Web security has changed over time
    Web security is always changing as the world changes
    how the internet is used.

    You’re responsible for protecting those less technically
    literate.

    View full-size slide

  17. 1
    Trust and security 

    on the web

    View full-size slide

  18. 1
    Trust and security 

    on the web
    Instant Heart Rate: HR Monitor
    Flo Health Inc.’s Flo Period & Ovulation Tracker

    View full-size slide

  19. 1
    Trust and security 

    on the web
    cross-site scripting attacks
    Malicious third-party scripts running in a trusted page.

    View full-size slide

  20. 1
    Trust and security 

    on the web
    cross-site scripting attacks
    Malicious third-party scripts running in a trusted page.
    Advertising and social media embeds
    Malicious third-party scripts running in a trusted page.
    NON

    View full-size slide

  21. 1
    Trust 

    and 

    security 

    on the 

    web
    2
    Malvertising 

    & the 

    principle 

    of least 

    privilege
    3
    extending 

    the 

    browser 

    sandbox

    View full-size slide

  22. 2
    Malvertising 

    & the 

    principle 

    of least 

    privilege

    View full-size slide

  23. 2
    Malvertising 

    & The principle of least privilege
    malvertising
    Malware (malicious software) advertising — when a
    trusted third-party script betrays that trust.

    View full-size slide

  24. 2
    Malvertising 

    & The principle of least privilege
    malvertising

    View full-size slide

  25. 2
    Malvertising 

    & The principle of least privilege
    malvertising

    View full-size slide

  26. 2
    Malvertising 

    & The principle of least privilege
    the power of the browser
    We don’t often see the power we’re granting to third party
    scripts.

    theannoyingsite.com

    View full-size slide

  27. 2
    Malvertising 

    & The principle of least privilege
    the principle of least privilege
    If you have trustworthy neighbors, do they have your
    house keys? Do they have everyone’s house keys?

    If you have a trustworthy application, do they have
    access to data from other applications? The ability to
    delete all your photos?

    View full-size slide

  28. 2
    Malvertising 

    & The principle of least privilege
    Do you follow this principle?
    Unless you limit them, third-party scripts have control to
    do horrible things to people.

    You are responsible for what they do.

    View full-size slide

  29. 1
    Trust 

    and 

    security 

    on the 

    web
    2
    Malvertising 

    & the 

    principle 

    of least 

    privilege
    3
    extending 

    the 

    browser 

    sandbox

    View full-size slide

  30. 3
    extending 

    the 

    browser 

    sandbox

    View full-size slide

  31. 3
    Extending the 

    browser sandbox
    by default, share and allow everything
    Backwards compatibility is one of the web’s biggest
    constraints.

    Tighter security is opt-in, which is taken advantage of by
    malicious sites and advertisers.

    View full-size slide

  32. 3
    Extending the 

    browser sandbox
    don’t share session data
    By default, cookies are shared with third-party scripts
    within your sandbox.

    This can be prevented by hiding cookies from JavaScript.

    Set-Cookie: user=wero2oi34jlksdf; path=/; HttpOnly

    View full-size slide

  33. 3
    Extending the 

    browser sandbox
    Don’t share where you’ve been
    By default, the current URL is provided to the next page
    and embedded frames.

    This can be prevented by implementing a Referrer-Policy.


    Referrer-Policy: no-referrer

    View full-size slide

  34. 3
    Extending the 

    browser sandbox
    Referrer-policy settings
    no-referrer

    no-referrer-when-downgrade

    origin

    origin-when-cross-origin

    same-origin

    strict-origin

    strict-origin-when-cross-origin

    unsafe-url

    View full-size slide

  35. 3
    Extending the 

    browser sandbox
    Don’t allow certain behaviors
    All behaviors are enabled by default, but can be disabled
    by specifying an allow-list.


    Content-Security-Policy: sandbox allow-scripts allow-
    same-origin allow-popups

    View full-size slide

  36. 3
    Extending the 

    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View full-size slide

  37. 3
    Extending the 

    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View full-size slide

  38. 3
    Extending the 

    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View full-size slide

  39. 3
    Extending the 

    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View full-size slide

  40. 3
    Extending the 

    browser sandbox
    Don’t allow unexpected domains
    The browser will load scripts, fonts, videos, and all other
    content from anywhere by default.

    Instead, an allow-list can be specified.

    Content-Security-Policy: default-src 'self'
    *.googleanalytics.com

    View full-size slide

  41. 3
    Extending the 

    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri

    View full-size slide

  42. 3
    Extending the 

    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View full-size slide

  43. 3
    Extending the 

    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View full-size slide

  44. 3
    Extending the 

    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View full-size slide

  45. 3
    Extending the 

    browser sandbox
    don’t allow browser features
    By default, anything the browser can do is allowed.
    Instead, an allow-list can be specified.


    Feature-Policy: autoplay 'none'; geolocation ‘none'

    View full-size slide

  46. 3
    Extending the 

    browser sandbox
    Feature-policy settings
    autoplay

    camera

    document-domain

    encrypted-media

    fullscreen

    geolocation

    microphone

    midi

    payment

    vr

    vibrate
    accelerometer

    ambient-light-sensor

    gyroscope

    layout-animations

    legacy-image-formats

    magnetometer

    oversized-images

    picture-in-picture

    speaker

    sync-xhr

    unoptimized-images

    unsized-media

    usb


    View full-size slide

  47. 3
    Extending the 

    browser sandbox
    Applying these techniques
    Interest in this area began with a site with a tight 

    Content-Security-Policy and Twitter…

    Do I want to give Twitter control of my site’s users?

    View full-size slide

  48. 3
    Extending the 

    browser sandbox
    Crazy ideas!?
    Using limited VirtualDOM diffing with a WebWorker —
    maybe impossible, but maybe magic.

    View full-size slide

  49. 3
    Extending the 

    browser sandbox
    Crazy ideas!?

    View full-size slide

  50. web security is
    your responsibility
    to opt-in to Please do it

    View full-size slide

  51. Thank you
    Questions?
    Find me after, join the group, and ask!

    I’m happy to answer any and all questions.

    View full-size slide