$30 off During Our Annual Pro Sale. View Details »

Web Platform Security @ CMS Security Summit 2020

Mike West
PRO
February 06, 2020

Web Platform Security @ CMS Security Summit 2020

TL;DR:

1. The web platform arm of Chrome's security team aims to focus on isolation and injection mitigations in 2020.

2. Strict CSP is pretty good. Trusted Types is looking promising.

3. Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy are important new primitives that I hope y'all are paying attention to.

4. We should raise the bar for new development to include the mitigations above.

Mike West
PRO

February 06, 2020
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Web Platform Security
    CMS Security Summit, Feb. 2020
    Mike West
    NOT A DIRECTOR, CHROME SECURITY
    [email protected]

    View Slide

  2. Google Vulnerability
    Reward Program
    payouts in 2018
    youtu.be/DDtM9caQ97I

    View Slide

  3. bit.ly/post-spectre-threat-model

    View Slide

  4. Injection and Isolation
    are our focus in 2020.

    View Slide

  5. Injection

    View Slide

  6. const templateId = location.hash.match(/tplid=([^;&]*)/)[1];
    document.head.innerHTML +=
    ``
    // `https://example.com#tplid=">` =>
    echo "Hello, {$_GET['name']}!"
    ?>
    // `https://example.com?name=alert(1)` =>
    DOM XSS
    Reflected XSS

    View Slide

  7. Content-Security-Policy:
    object-src 'none'; base-uri 'none';
    script-src 'nonce-{random}' 'strict-dynamic' ...;
    Strict CSP
    bit.ly/strict-csp

    View Slide

  8. Strict CSP
    bit.ly/strict-csp
    Content-Security-Policy:
    object-src 'none'; base-uri 'none';
    script-src 'nonce-ABCDEFG' 'strict-dynamic' …;
    <br/>doAmazingThings("yay"); // Executes.<br/>let s = document.createElement('script');<br/>s.src = "/script.js";<br/>document.body.appendChild(s); // Executes.<br/>
    /* This will not execute. */
    /* Nor this. */
    /* Nor this. */

    View Slide

  9. Trusted
    Types
    research.google/pubs/pub42934

    View Slide

  10. Trusted
    Types
    bit.ly/tt-introduction
    bit.ly/tt-spec

    View Slide

  11. let p = trustedTypes.createPolicy("my-policy", {
    createHTML: (i) => sanitizerGoesHere(i),
    createScript: (i) => anotherSanitizer(i),
    createScriptURL: (i) => allowedURLs(i)
    });
    myDiv.innerHTML = p.createHTML(userInput);
    eval(p.createScript(moreInput));
    scriptEl.src = p.createScriptURL(evenMore);
    Content-Security-Policy:
    ...
    require-trusted-types-for 'script';
    trusted-types my-awesome-policy;
    Trusted
    Types
    bit.ly/tt-introduction
    bit.ly/tt-spec

    View Slide

  12. Content-Security-Policy-Report-Only:
    require-trusted-types-for 'script'; report-uri ...;
    let p = trustedTypes.createPolicy("my-policy", {
    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a
    });
    {"csp-report":{...
    "violated-directive": "require-trusted-types-for",
    "blocked-uri": "trusted-types-sink",
    "line-number": 128,
    "column-number": 73,
    "source-file": "https://example.site/a.html",
    "script-sample": "Element.innerHTML console.log('Hello');",
    ...}}
    Trusted
    Types
    bit.ly/tt-introduction
    bit.ly/tt-spec

    View Slide

  13. Scripting-Policy: nonce="ABCDEFG",
    require-trusted-types-for=(script)
    Scripting
    Policy (WIP)
    bit.ly/scripting-policy

    View Slide

  14. Isolation

    View Slide

  15. View Slide

  16. View Slide

  17. View Slide

  18. View Slide

  19. Cross-Origin
    Resource
    Policy
    Cross-Origin-Resource-Policy: same-origin
    a.com/js
    a.com
    sub.a.com
    b.com
    bit.ly/corp-spec

    View Slide

  20. Cross-Origin
    Resource
    Policy
    Cross-Origin-Resource-Policy: same-site
    a.com/js
    a.com
    sub.a.com
    b.com
    bit.ly/corp-spec

    View Slide

  21. Cross-Origin
    Resource
    Policy
    bit.ly/corp-spec
    Cross-Origin-Resource-Policy: cross-site
    a.com/js
    a.com
    sub.a.com
    b.com

    View Slide

  22. Cross-Origin
    Resource
    Policy
    Cross-Origin-Resource-Policy: same-origin
    bit.ly/corp-spec

    View Slide

  23. Please, set CORP headers
    for known cross-site responses.

    View Slide

  24. Cross-Origin
    Embedder
    Policy
    bit.ly/coep-spec
    Cross-Origin-Embedder-Policy: require-corp
    a.com
    a.com
    sub.a.com
    b.com
    CORP: same-origin
    CORP: same-site
    CORP: cross-site
    b.com

    View Slide

  25. COEP will be required when
    using APIs that amplify
    side-channel attacks.

    View Slide

  26. // Top-level navigation
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    //
    Sec-Fetch-Dest: image
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Site: cross-site
    Fetch
    Metadata
    bit.ly/fm-spec
    bit.ly/fm-policies
    Artur Janc
    10:00ish tomorrow.
    Cross-Origin-Opener-Policy:
    same-origin; report-to=endpoint
    Cross-Origin
    Opener Policy
    bit.ly/coop-spec

    View Slide

  27. Securer Contexts (WIP)

    View Slide

  28. TLS is an insufficient baseline
    in 2020. Isolation is critical.
    bit.ly/securer-contexts

    View Slide

  29. Thanks!
    @mikewest
    [email protected]

    View Slide