Kick Those Scripts to the Sandbox: Web Security is Your Responsibility @ VueDC

Transcript

1. Kick those
   to the sandbox
   Andrew Dunkman
   @adunkman
   

   View Slide

2. 1
   Trust
   and
   security
   on the
   web
   2
   Malvertising
   & the
   principle
   of least
   privilege
   3
   extending
   the
   browser
   sandbox
   

   View Slide

3. 1
   Trust and security
   on the web
   Download this app!
   

   View Slide

4. 1
   Trust and security
   on the web
   Download this app!
   

   View Slide

5. 1
   Trust and security
   on the web
   Download this app!
   

   View Slide

6. 1
   Trust and security
   on the web
   Download this app!
   

   View Slide

7. 1
   Trust and security
   on the web
   Go to this site!
   https://www.google.com
   

   View Slide

8. 1
   Trust and security
   on the web
   Go to this site!
   https://www.weather.gov
   

   View Slide

9. 1
   Trust and security
   on the web
   Go to this site!
   https://rebecca.blackfriday
   

   View Slide

10. 1
    Trust and security
    on the web
    Go to this site!
    https://.la
    

    View Slide

11. 1
    Trust and security
    on the web
    

    View Slide

12. 1
    Trust and security
    on the web
    Web security model basics
    Site scripts cannot access sensitive parts of your device.
    
    Downloaded content can’t be too large, and can be
    deleted at any time.
    
    Pages and scripts on the same site can communicate,
    but cannot communicate with different sites.
    Sandbox’d!
    

    View Slide

13. 1
    Trust and security
    on the web
    Web security has changed over time
    Web security is always changing as the world changes
    how the internet is used.
    
    You’re responsible for protecting those less technically
    literate.
    

    View Slide

14. 1
    Trust and security
    on the web
    Instant Heart Rate: HR Monitor
    Flo Health Inc.’s Flo Period & Ovulation Tracker
    

    View Slide

15. 1
    Trust and security
    on the web
    cross-site scripting attacks
    Malicious third-party scripts running in a trusted page.
    Advertising and social media embeds
    Malicious third-party scripts running in a trusted page.
    NON
    

    View Slide

16. 1
    Trust
    and
    security
    on the
    web
    2
    Malvertising
    & the
    principle
    of least
    privilege
    3
    extending
    the
    browser
    sandbox
    

    View Slide

17. 2
    Malvertising
    & The principle of least privilege
    malvertising
    Malware (malicious software) advertising — when a
    trusted third-party script betrays that trust.
    

    View Slide

18. 2
    Malvertising
    & The principle of least privilege
    the power of the browser
    We don’t often see the power we’re granting to third party
    scripts.
    
    theannoyingsite.com
    

    View Slide

19. 2
    Malvertising
    & The principle of least privilege
    

    View Slide

20. 2
    Malvertising
    & The principle of least privilege
    the principle of least privilege
    If you have trustworthy neighbors, do they have your
    house keys? Do they have everyone’s house keys?
    
    If you have a trustworthy application, do they have
    access to data from other applications? The ability to
    delete all your photos?
    

    View Slide

21. 2
    Malvertising
    & The principle of least privilege
    Do you follow this principle?
    Unless you limit them, third-party scripts have control to
    do horrible things to people.
    
    You are responsible for what they do.
    

    View Slide

22. 1
    Trust
    and
    security
    on the
    web
    2
    Malvertising
    & the
    principle
    of least
    privilege
    3
    extending
    the
    browser
    sandbox
    

    View Slide

23. 3
    Extending the
    browser sandbox
    by default, share and allow everything
    Backwards compatibility is one of the web’s biggest
    constraints.
    
    Tighter security is opt-in, which is taken advantage of by
    malicious sites and advertisers.
    

    View Slide

24. 3
    Extending the
    browser sandbox
    don’t share session data
    By default, cookies are shared with third-party scripts
    within your sandbox.
    
    This can be prevented by hiding cookies from JavaScript.
    
    Set-Cookie: user=wero2oi34jlksdf; path=/; HttpOnly
    

    View Slide

25. 3
    Extending the
    browser sandbox
    Don’t share where you’ve been
    By default, the current URL is provided to the next page
    and embedded frames.
    
    This can be prevented by implementing a Referrer-Policy.
    
    
    Referrer-Policy: no-referrer
    

    View Slide

26. 3
    Extending the
    browser sandbox
    Referrer-policy settings
    no-referrer

    no-referrer-when-downgrade

    origin

    origin-when-cross-origin

    same-origin

    strict-origin

    strict-origin-when-cross-origin

    unsafe-url
    

    View Slide

27. 3
    Extending the
    browser sandbox
    Don’t allow certain behaviors
    All behaviors are enabled by default, but can be disabled
    by specifying an allow-list.
    
    
    Content-Security-Policy: sandbox allow-scripts allow-
    same-origin allow-popups
    

    View Slide

28. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation
    

    View Slide

29. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation
    

    View Slide

30. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation
    

    View Slide

31. 3
    Extending the
    browser sandbox
    sandbox settings
    allow-forms

    allow-modals

    allow-orientation-lock

    allow-pointer-lock

    allow-popups

    allow-popups-to-escape-sandbox

    allow-presentation

    allow-same-origin

    allow-scripts

    allow-storage-access-by-user-activation

    allow-top-navigation

    allow-top-navigation-by-user-activation
    

    View Slide

32. 3
    Extending the
    browser sandbox
    Don’t allow unexpected domains
    The browser will load scripts, fonts, videos, and all other
    content from anywhere by default.
    
    Instead, an allow-list can be specified.
    
    Content-Security-Policy: default-src 'self'
    *.googleanalytics.com
    

    View Slide

33. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri
    

    View Slide

34. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri

    

    View Slide

35. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri

    

    View Slide

36. 3
    Extending the
    browser sandbox
    content-security-policy settings
    default-src

    connect-src

    font-src

    frame-src

    img-src

    manifest-src

    media-src

    object-src

    script-src

    style-src

    worker-src
    report-uri

    

    View Slide

37. 3
    Extending the
    browser sandbox
    don’t allow browser features
    By default, anything the browser can do is allowed.
    Instead, an allow-list can be specified.
    
    
    Feature-Policy: autoplay 'none'; geolocation ‘none'
    

    View Slide

38. 3
    Extending the
    browser sandbox
    Feature-policy settings
    autoplay

    camera

    document-domain

    encrypted-media

    fullscreen

    geolocation

    microphone

    midi

    payment

    vr

    vibrate
    accelerometer

    ambient-light-sensor

    gyroscope

    layout-animations

    legacy-image-formats

    magnetometer

    oversized-images

    picture-in-picture

    speaker

    sync-xhr

    unoptimized-images

    unsized-media

    usb

    

    View Slide

39. 3
    Extending the
    browser sandbox
    Applying these techniques
    Interest in this area began with a site with a tight 

    Content-Security-Policy and Twitter…
    
    Do I want to give Twitter control of my site’s users?
    

    View Slide

40. 3
    Extending the
    browser sandbox
    Crazy ideas!?
    Using limited VirtualDOM diffing with a WebWorker —
    maybe impossible, but maybe magic.
    

    View Slide

41. web security is
    your responsibility
    to opt-in to Please do it
    

    View Slide