Save 37% off PRO during our Black Friday Sale! »

Web Platform Security @ CMS Security Summit 2020

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
February 06, 2020

Web Platform Security @ CMS Security Summit 2020


1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.

2. Strict CSP is pretty good. Trusted Types is looking promising.

3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.

4. We should raise the bar for new development to include the mitigations above.


Mike West

February 06, 2020


  1. Web Platform Security CMS Security Summit, Feb. 2020 Mike West

  2. Google Vulnerability Reward Program payouts in 2018


  4. Injection and Isolation are our focus in 2020.

  5. Injection

  6. const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `<link rel="stylesheet" href="/${templateId}/style.css">` //

    `"><img src=x onerror=alert(1)>` => <?php echo "Hello, {$_GET['name']}!" ?> // `<script>alert(1)</script>` => DOM XSS Reflected XSS
  7. Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-{random}' 'strict-dynamic' ...; Strict

  8. Strict CSP Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG'

    'strict-dynamic' …; <script id="1" nonce="ABCDEFG"> doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. </script> <script id="2">/* This will not execute. */</script> <script id="3" nonce="BOO">/* Nor this. */</script> <embed src="/flash.swf">/* Nor this. */</script> <base href="" nor="this" />
  9. Trusted Types

  10. Trusted Types

  11. let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript:

    (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types
  12. Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", {

    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types
  13. Scripting-Policy: nonce="ABCDEFG", require-trusted-types-for=(script) Scripting Policy (WIP)

  14. Isolation

  15. None
  16. None
  17. None
  18. None
  19. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin

  20. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-site

  21. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: cross-site

  22. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin

  23. Please, set CORP headers for known cross-site responses.

  24. Cross-Origin Embedder Policy Cross-Origin-Embedder-Policy: require-corp

    CORP: same-origin CORP: same-site CORP: cross-site
  25. COEP will be required when using APIs that amplify side-channel

  26. // Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User:

    ?1 // <img> Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy
  27. Securer Contexts (WIP)

  28. TLS is an insufficient baseline in 2020. Isolation is critical.
  29. Thanks! @mikewest