Web Platform Security @ CMS Security Summit 2020

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
February 06, 2020

Web Platform Security @ CMS Security Summit 2020


1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.

2. Strict CSP is pretty good. Trusted Types is looking promising.

3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.

4. We should raise the bar for new development to include the mitigations above.


Mike West

February 06, 2020


  1. Web Platform Security CMS Security Summit, Feb. 2020 Mike West

    NOT A DIRECTOR, CHROME SECURITY mkwst@google.com
  2. Google Vulnerability Reward Program payouts in 2018 youtu.be/DDtM9caQ97I

  3. bit.ly/post-spectre-threat-model

  4. Injection and Isolation are our focus in 2020.

  5. Injection

  6. const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `<link rel="stylesheet" href="/${templateId}/style.css">` //

    `https://example.com#tplid="><img src=x onerror=alert(1)>` => <?php echo "Hello, {$_GET['name']}!" ?> // `https://example.com?name=<script>alert(1)</script>` => DOM XSS Reflected XSS
  7. Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-{random}' 'strict-dynamic' ...; Strict

    CSP bit.ly/strict-csp
  8. Strict CSP bit.ly/strict-csp Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG'

    'strict-dynamic' …; <script id="1" nonce="ABCDEFG"> doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. </script> <script id="2">/* This will not execute. */</script> <script id="3" nonce="BOO">/* Nor this. */</script> <embed src="/flash.swf">/* Nor this. */</script> <base href="https://evil.com/" nor="this" />
  9. Trusted Types research.google/pubs/pub42934

  10. Trusted Types bit.ly/tt-introduction bit.ly/tt-spec

  11. let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript:

    (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  12. Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", {

    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "https://example.site/a.html", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types bit.ly/tt-introduction bit.ly/tt-spec
  13. Scripting-Policy: nonce="ABCDEFG", require-trusted-types-for=(script) Scripting Policy (WIP) bit.ly/scripting-policy

  14. Isolation

  15. None
  16. None
  17. None
  18. None
  19. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin a.com/js a.com sub.a.com b.com bit.ly/corp-spec

  20. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-site a.com/js a.com sub.a.com b.com bit.ly/corp-spec

  21. Cross-Origin Resource Policy bit.ly/corp-spec Cross-Origin-Resource-Policy: cross-site a.com/js a.com sub.a.com b.com

  22. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin bit.ly/corp-spec

  23. Please, set CORP headers for known cross-site responses.

  24. Cross-Origin Embedder Policy bit.ly/coep-spec Cross-Origin-Embedder-Policy: require-corp a.com a.com sub.a.com b.com

    CORP: same-origin CORP: same-site CORP: cross-site b.com
  25. COEP will be required when using APIs that amplify side-channel

  26. // Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User:

    ?1 // <img> Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata bit.ly/fm-spec bit.ly/fm-policies Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy bit.ly/coop-spec
  27. Securer Contexts (WIP)

  28. TLS is an insufficient baseline in 2020. Isolation is critical.

  29. Thanks! @mikewest mkwst@google.com