Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ CMS Security Summit 2020

Mike West
February 06, 2020

Web Platform Security @ CMS Security Summit 2020


1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.

2. Strict CSP is pretty good. Trusted Types is looking promising.

3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.

4. We should raise the bar for new development to include the mitigations above.

Mike West

February 06, 2020

More Decks by Mike West

Other Decks in Programming


  1. const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `<link rel="stylesheet" href="/${templateId}/style.css">` //

    `https://example.com#tplid="><img src=x onerror=alert(1)>` => <?php echo "Hello, {$_GET['name']}!" ?> // `https://example.com?name=<script>alert(1)</script>` => DOM XSS Reflected XSS
  2. Strict CSP bit.ly/strict-csp Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG'

    'strict-dynamic' …; <script id="1" nonce="ABCDEFG"> doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. </script> <script id="2">/* This will not execute. */</script> <script id="3" nonce="BOO">/* Nor this. */</script> <embed src="/flash.swf">/* Nor this. */</script> <base href="https://evil.com/" nor="this" />
  3. let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript:

    (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  4. Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", {

    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "https://example.site/a.html", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  5. // Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User:

    ?1 // <img> Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata bit.ly/fm-spec bit.ly/fm-policies Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy bit.ly/coop-spec