$30 off During Our Annual Pro Sale. View Details »

Isolation by Default

December 01, 2020

1.5k

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West
PRO

December 01, 2020

Tweet

More Decks by Mike West

See All by Mike West

W3C Permissions Workshop - 2022-12-05

The Web We Can Ship

Web Platform Security @ CMS Security Summit 2020

Web Platform Security @ TechDays 2019

Cookies are bad @ HTTP Workshop 2019

Web Platform Security @ CMS Security Summit

Web Platform Security PhD Summit @ Google Munich

Hardening the Web Platform - AppSec EU, 2016

Other Decks in Programming

See All in Programming

技術書を読む技術（JJUG CCC 2023 Fall）

Modern Java for the Masses! Is Java Still Relevant?

Better Code Design in PHP

SONY NEWS NetBSD移植作業とNWS-3260展示 / KOF2023

Visually experience the beauty of mathematics with p5.js

アクセシビリティを理解するとフロントエンドのテストが楽になる！

Vue & Vite Rustify

「defineCustomElement」を活用したサービス共通のUIコンポーネントライブラリ

進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023

クソアプリを作ってみた💩 / kusojaku

安心してリリース！〜Blue/Greenデプロイ戦略の実体験〜 - NIFTY Tech Day 2023

The Secret Ingredient: How to Understand and Resolve Just about Any Flaky Test

Featured

See All Featured

Build your cross-platform service in a week with App Engine

10 Git Anti Patterns You Should be Aware of

Rails Girls Zürich Keynote

Making the Leap to Tech Lead

Agile that works and the tools we love

Building Better People: How to give real-time feedback that sticks.

Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure

"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)

Thoughts on Productivity

Ruby is Unlike a Banana

WebSockets: Embracing the real-time Web

Fantastic passwords and where to find them - at NoRuKo

Transcript

Isolation by Default
XSLeaks Summit 2020-12-01 — Camille Lamy & Mike West

View Slide
Status quo ante:

View Slide
Status quo: Well-informed
developers will adopt
CORP, XFO, COOP, and
COEP. Less-informed
developers remain
vulnerable.

View Slide
The Future? Browsers will isolate
documents by default.
Developers who require
cross-origin collaboration
can opt-out of isolation.

View Slide
A Few Modest Proposals
User agents should:
1. Apply COOP: same-origin-allow-popups by default:
https://github.com/mikewest/coop-by-default/
2. Require embedees to opt-into framing rather than out of it:
https://github.com/mikewest/embedding-requires-opt-in/
3. Deprecate and remove impediments to origin isolation by default (most notably
document.domain: https://github.com/mikewest/deprecating-document-domain)

View Slide
A Few More Modest Proposals
User agents should:
4. Require opt-in for communication across network boundaries:
https://wicg.github.io/cors-rfc1918/
5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand,
COEP: x-bikeshed-credentialless-unless-cors on the other):
https://github.com/mikewest/credentiallessness/
6. Strict MIME type checking, in conjunction with CORB/ORB.

View Slide
What else should
we try to break ﬁx?

View Slide