$30 off During Our Annual Pro Sale. View Details »

Isolation by Default

Mike West
PRO
December 01, 2020

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West
PRO

December 01, 2020
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Isolation by Default
    XSLeaks Summit 2020-12-01 — Camille Lamy & Mike West

    View Slide

  2. Status quo ante:

    View Slide

  3. Status quo: Well-informed
    developers will adopt
    CORP, XFO, COOP, and
    COEP. Less-informed
    developers remain
    vulnerable.

    View Slide

  4. The Future? Browsers will isolate
    documents by default.
    Developers who require
    cross-origin collaboration
    can opt-out of isolation.

    View Slide

  5. A Few Modest Proposals
    User agents should:
    1. Apply COOP: same-origin-allow-popups by default:
    https://github.com/mikewest/coop-by-default/
    2. Require embedees to opt-into framing rather than out of it:
    https://github.com/mikewest/embedding-requires-opt-in/
    3. Deprecate and remove impediments to origin isolation by default (most notably
    document.domain: https://github.com/mikewest/deprecating-document-domain)

    View Slide

  6. A Few More Modest Proposals
    User agents should:
    4. Require opt-in for communication across network boundaries:
    https://wicg.github.io/cors-rfc1918/
    5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand,
    COEP: x-bikeshed-credentialless-unless-cors on the other):
    https://github.com/mikewest/credentiallessness/
    6. Strict MIME type checking, in conjunction with CORB/ORB.

    View Slide

  7. What else should
    we try to break fix?

    View Slide