Isolation by Default

December 01, 2020

1.9k

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West
PRO

December 01, 2020

More Decks by Mike West

See All by Mike West

W3C Permissions Workshop - 2022-12-05

mikewest

PRO

110

The Web We Can Ship

mikewest

PRO

490

Web Platform Security @ CMS Security Summit 2020

mikewest

PRO

3.2k

Web Platform Security @ TechDays 2019

mikewest

PRO

180

Cookies are bad @ HTTP Workshop 2019

mikewest

PRO

450

Web Platform Security @ CMS Security Summit

mikewest

PRO

120

Web Platform Security PhD Summit @ Google Munich

mikewest

PRO

970

BSides Munich

mikewest

PRO

340

Hardening the Web Platform - AppSec EU, 2016

mikewest

PRO

1.5k

Other Decks in Programming

See All in Programming

医療系ソフトウェアのAI駆動開発

koukimiura

100

最速Green Tea 🍵 Garbage Collector

kuro_kurorrr

120

2025-04-25 GitHub Copilot Agent ライブデモ（スクリプト）

goataka

110

実践Webフロントパフォーマンスチューニング

cp20

10k

Serving TUIs over SSH with Go

caarlos0

650

20250429 - CNTUG Meetup #67 / DevOps Taiwan Meetup #69 - Deep Dive into Tetragon: Building Runtime Security and Observability with eBPF

tico88612

180

Laravel × Clean Architecture

bumptakayuki

PRO

150

「理解」を重視したAI活用開発

fast_doctor

300

eBPF超入門「o11yに使える」とは (20250424_eBPF_o11y)

thousanda

120

Rubyの!メソッドをちゃんと理解する

alstrocrack

290

Lambda(Python)のリファクタリングが好きなんです

komakichi

270

知識0からカンファレンスやってみたらこうなった！

syossan27

240

Featured

See All Featured

No one is an island. Learnings from fostering a developers community.

thoeni

3.3k

The MySQL Ecosystem @ GitHub 2015

samlambert

251

12k

Bash Introduction

62gerente

613

210k

GraphQLとの向き合い方2022年版

quramy

14k

Build your cross-platform service in a week with App Engine

jlugia

231

18k

Reflections from 52 weeks, 52 projects

jeffersonlam

349

20k

Exploring the Power of Turbo Streams & Action Cable | RailsConf2023

kevinliebholz

5.6k

Build The Right Thing And Hit Your Dates

maggiecrowley

2.7k

Refactoring Trust on Your Teams (GOTO; Chicago 2020)

rmw

2.9k

A Modern Web Designer's Workflow

chriscoyier

693

190k

Agile that works and the tools we love

rasmusluckow

329

21k

Designing for humans not robots

tammielis

253

25k

Transcript

Isolation by Default XSLeaks Summit 2020-12-01 — Camille Lamy &
Mike West
Status quo ante:
Status quo: Well-informed developers will adopt CORP, XFO, COOP, and
COEP. Less-informed developers remain vulnerable.
The Future? Browsers will isolate documents by default. Developers who
require cross-origin collaboration can opt-out of isolation.
A Few Modest Proposals User agents should: 1. Apply COOP:
same-origin-allow-popups by default: https://github.com/mikewest/coop-by-default/ 2. Require embedees to opt-into framing rather than out of it: https://github.com/mikewest/embedding-requires-opt-in/ 3. Deprecate and remove impediments to origin isolation by default (most notably document.domain: https://github.com/mikewest/deprecating-document-domain)
A Few More Modest Proposals User agents should: 4. Require
opt-in for communication across network boundaries: https://wicg.github.io/cors-rfc1918/ 5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand, COEP: x-bikeshed-credentialless-unless-cors on the other): https://github.com/mikewest/credentiallessness/ 6. Strict MIME type checking, in conjunction with CORB/ORB.
What else should we try to break ﬁx?