Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Isolation by Default

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
December 01, 2020

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/


Mike West

December 01, 2020


  1. Isolation by Default XSLeaks Summit 2020-12-01 — Camille Lamy &

    Mike West
  2. Status quo ante:

  3. Status quo: Well-informed developers will adopt CORP, XFO, COOP, and

    COEP. Less-informed developers remain vulnerable.
  4. The Future? Browsers will isolate documents by default. Developers who

    require cross-origin collaboration can opt-out of isolation.
  5. A Few Modest Proposals User agents should: 1. Apply COOP:

    same-origin-allow-popups by default: https://github.com/mikewest/coop-by-default/ 2. Require embedees to opt-into framing rather than out of it: https://github.com/mikewest/embedding-requires-opt-in/ 3. Deprecate and remove impediments to origin isolation by default (most notably document.domain: https://github.com/mikewest/deprecating-document-domain)
  6. A Few More Modest Proposals User agents should: 4. Require

    opt-in for communication across network boundaries: https://wicg.github.io/cors-rfc1918/ 5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand, COEP: x-bikeshed-credentialless-unless-cors on the other): https://github.com/mikewest/credentiallessness/ 6. Strict MIME type checking, in conjunction with CORB/ORB.
  7. What else should we try to break fix?