Web Platform Security @ CMS Security Summit 2020

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
February 06, 2020

Web Platform Security @ CMS Security Summit 2020

TL;DR:

1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.

2. Strict CSP is pretty good. Trusted Types is looking promising.

3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.

4. We should raise the bar for new development to include the mitigations above.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West

February 06, 2020
Tweet

Transcript

  1. 1.

    Web Platform Security CMS Security Summit, Feb. 2020 Mike West

    NOT A DIRECTOR, CHROME SECURITY mkwst@google.com
  2. 6.

    const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `<link rel="stylesheet" href="/${templateId}/style.css">` //

    `https://example.com#tplid="><img src=x onerror=alert(1)>` => <?php echo "Hello, {$_GET['name']}!" ?> // `https://example.com?name=<script>alert(1)</script>` => DOM XSS Reflected XSS
  3. 8.

    Strict CSP bit.ly/strict-csp Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG'

    'strict-dynamic' …; <script id="1" nonce="ABCDEFG"> doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. </script> <script id="2">/* This will not execute. */</script> <script id="3" nonce="BOO">/* Nor this. */</script> <embed src="/flash.swf">/* Nor this. */</script> <base href="https://evil.com/" nor="this" />
  4. 11.

    let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript:

    (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  5. 12.

    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", {

    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "https://example.site/a.html", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  6. 14.
  7. 15.
  8. 16.
  9. 17.
  10. 18.
  11. 26.

    // Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User:

    ?1 // <img> Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata bit.ly/fm-spec bit.ly/fm-policies Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy bit.ly/coop-spec