$30 off During Our Annual Pro Sale. View Details »

Kick Those Scripts to the Sandbox: Web Security is Your Responsibility @ VueDC

Kick Those Scripts to the Sandbox: Web Security is Your Responsibility @ VueDC

Do you want Tweets or your latest Instagram food picture to display nicely in your site? Just load this third-party script into your site — never mind what it does! … err, what’s the difference between third-party scripts and a cross-site scripting attack again? Can’t third-party scripts steal user credentials, track users without their consent, and hijack your site for advertising purposes? In this talk, we’ll discuss different ways of sandboxing these scripts to increase your site’s security, stability, and protect the privacy of your users. You’ll leave with an understanding of the latest browser features designed to protect you and your users.

Andrew Dunkman

December 18, 2019
Tweet

More Decks by Andrew Dunkman

Other Decks in Technology

Transcript

  1. Kick those
    to the sandbox
    Andrew Dunkman
    @adunkman

    View Slide

  2. 1
    Trust
    and
    security
    on the
    web
    2
    Malvertising
    & the
    principle
    of least
    privilege
    3
    extending
    the
    browser
    sandbox

    View Slide

  3. 1
    Trust and security
    on the web
    Download this app!

    View Slide

  4. 1
    Trust and security
    on the web
    Download this app!

    View Slide

  5. 1
    Trust and security
    on the web
    Download this app!

    View Slide

  6. 1
    Trust and security
    on the web
    Download this app!

    View Slide

  7. 1
    Trust and security
    on the web
    Go to this site!
    https://www.google.com

    View Slide

  8. 1
    Trust and security
    on the web
    Go to this site!
    https://www.weather.gov

    View Slide

  9. 1
    Trust and security
    on the web
    Go to this site!
    https://rebecca.blackfriday

    View Slide

  10. 1
    Trust and security
    on the web
    Go to this site!
    https://.la

    View Slide

  11. 1
    Trust and security
    on the web

    View Slide

  12. 1
    Trust and security
    on the web
    Web security model basics
    Site scripts cannot access sensitive parts of your device.

    Downloaded content can’t be too large, and can be
    deleted at any time.

    Pages and scripts on the same site can communicate,
    but cannot communicate with different sites.
    Sandbox’d!

    View Slide

  13. 1
    Trust and security
    on the web
    Web security has changed over time
    Web security is always changing as the world changes
    how the internet is used.

    You’re responsible for protecting those less technically
    literate.

    View Slide

  14. 1
    Trust and security
    on the web
    Instant Heart Rate: HR Monitor
    Flo Health Inc.’s Flo Period & Ovulation Tracker

    View Slide

  15. 1
    Trust and security
    on the web
    cross-site scripting attacks
    Malicious third-party scripts running in a trusted page.
    Advertising and social media embeds
    Malicious third-party scripts running in a trusted page.
    NON

    View Slide

  16. 1
    Trust
    and
    security
    on the
    web
    2
    Malvertising
    & the
    principle
    of least
    privilege
    3
    extending
    the
    browser
    sandbox

    View Slide

  17. 2
    Malvertising
    & The principle of least privilege
    malvertising
    Malware (malicious software) advertising — when a
    trusted third-party script betrays that trust.

    View Slide

  18. 2
    Malvertising
    & The principle of least privilege
    the power of the browser
    We don’t often see the power we’re granting to third party
    scripts.

    theannoyingsite.com

    View Slide

  19. 2
    Malvertising
    & The principle of least privilege

    View Slide

  20. 2
    Malvertising
    & The principle of least privilege
    the principle of least privilege
    If you have trustworthy neighbors, do they have your
    house keys? Do they have everyone’s house keys?

    If you have a trustworthy application, do they have
    access to data from other applications? The ability to
    delete all your photos?

    View Slide

  21. 2
    Malvertising
    & The principle of least privilege
    Do you follow this principle?
    Unless you limit them, third-party scripts have control to
    do horrible things to people.

    You are responsible for what they do.

    View Slide

  22. 1
    Trust
    and
    security
    on the
    web
    2
    Malvertising
    & the
    principle
    of least
    privilege
    3
    extending
    the
    browser
    sandbox

    View Slide

  23. 3
    Extending the
    browser sandbox
    by default, share and allow everything
    Backwards compatibility is one of the web’s biggest
    constraints.

    Tighter security is opt-in, which is taken advantage of by
    malicious sites and advertisers.

    View Slide

  24. 3
    Extending the
    browser sandbox
    don’t share session data
    By default, cookies are shared with third-party scripts
    within your sandbox.

    This can be prevented by hiding cookies from JavaScript.

    Set-Cookie: user=wero2oi34jlksdf; path=/; HttpOnly

    View Slide

  25. 3
    Extending the
    browser sandbox
    Don’t share where you’ve been
    By default, the current URL is provided to the next page
    and embedded frames.

    This can be prevented by implementing a Referrer-Policy.


    Referrer-Policy: no-referrer

    View Slide

  26. 3
    Extending the
    browser sandbox
    Referrer-policy settings
    no-referrer

    no-referrer-when-downgrade

    origin

    origin-when-cross-origin

    same-origin

    strict-origin

    strict-origin-when-cross-origin

    unsafe-url

    View Slide

  27. 3
    Extending the
    browser sandbox
    Don’t allow certain behaviors
    All behaviors are enabled by default, but can be disabled
    by specifying an allow-list.


    Content-Security-Policy: sandbox allow-scripts allow-
    same-origin allow-popups

    View Slide

  28. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View Slide

  29. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View Slide

  30. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View Slide

  31. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation

    View Slide

  32. 3
    Extending the
    browser sandbox
    Don’t allow unexpected domains
    The browser will load scripts, fonts, videos, and all other
    content from anywhere by default.

    Instead, an allow-list can be specified.

    Content-Security-Policy: default-src 'self'
    *.googleanalytics.com

    View Slide

  33. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri

    View Slide

  34. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View Slide

  35. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View Slide

  36. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri


    View Slide

  37. 3
    Extending the
    browser sandbox
    don’t allow browser features
    By default, anything the browser can do is allowed.
    Instead, an allow-list can be specified.


    Feature-Policy: autoplay 'none'; geolocation ‘none'

    View Slide

  38. 3
    Extending the
    browser sandbox
    Feature-policy settings
    autoplay

    camera

    document-domain

    encrypted-media

    fullscreen

    geolocation

    microphone

    midi

    payment

    vr

    vibrate
    accelerometer

    ambient-light-sensor

    gyroscope

    layout-animations

    legacy-image-formats

    magnetometer

    oversized-images

    picture-in-picture

    speaker

    sync-xhr

    unoptimized-images

    unsized-media

    usb


    View Slide

  39. 3
    Extending the
    browser sandbox
    Applying these techniques
    Interest in this area began with a site with a tight 

    Content-Security-Policy and Twitter…

    Do I want to give Twitter control of my site’s users?

    View Slide

  40. 3
    Extending the
    browser sandbox
    Crazy ideas!?
    Using limited VirtualDOM diffing with a WebWorker —
    maybe impossible, but maybe magic.

    View Slide

  41. web security is
    your responsibility
    to opt-in to Please do it

    View Slide