$30 off During Our Annual Pro Sale. View Details »

Web Platform Security PhD Summit @ Google Munich

Mike West
PRO
June 25, 2018
Programming
2
730

Web Platform Security PhD Summit @ Google Munich

Web Platform Security. The threats browser vendors are exploring at the moment, and some mitigations thereof.

Mike West
PRO

June 25, 2018
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
63
Isolation by Default
mikewest
PRO
0
1.5k
The Web We Can Ship
mikewest
PRO
0
320
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.1k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
130
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
390
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
90
BSides Munich
mikewest
PRO
0
280
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.3k

Other Decks in Programming

See All in Programming
Git 和 DevOps - 在混亂的流星群開發流程中找到小確幸
eddie
1
860
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
1
750
アクセシビリティを理解するとフロントエンドのテストが楽になる!
nano72mkn
1
1.6k
動くコードを書こう / let's code a process
kishida
20
6k
Voicyの生放送リスナー画面で パフォーマンスチューニングした話
miyuki2203
0
100
How to Be a Responsible Open Source Citizen
ivargrimstad
0
1.1k
Second-System Syndrome: A tale of power-assert
twada
PRO
9
3.4k
DMMプラットフォームにおけるコード品質を改善する取り組みの理想と現実
pospome
3
1.7k
OpenTelemetry の Trace を中心としたパフォーマンス改善
rmatsuoka
0
410
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
930
Immutability Against The Machine
miciek
0
190
Java 8 から 21 へのバージョンアップでどう変わる?:実アプリケーションで学ぶ実装のポイント / 20231111 Key Implementation Points from Java 8 to 21
mackey0225
6
510

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
How GitHub (no longer) Works
holman
299
140k
Automating Front-end Workflow
addyosmani
1354
200k
Building a Scalable Design System with Sketch
lauravandoore
453
32k
Happy Clients
brianwarren
91
6.1k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Ruby is Unlike a Banana
tanoku
93
10k
Six Lessons from altMBA
skipperchong
18
2.7k
Web Components: a chance to create the future
zenorocha
304
41k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
730

Transcript

  1. Web Platform Security
    PhD Summit: Munich, June 2018
    Threats. Mitigations. More.
    [email protected], @mikewest

    View Slide

  2. Fundamentals

    View Slide

  3. https://[host]:[port]
    An Origin.
    https://example.com https://news.example https://ads.example https://shop.example

    View Slide

  4. A Site is a set of origins that
    share a registrable domain.
    https://example.com https://mikewest.github.io
    https://www.example.com
    https://sub.example.com
    https://sub.sub.example.com https://w3c.github.io

    View Slide

  5. Same Origin Policy
    https://news.example
    https://ads.example
    https://shop.example

    View Slide

  6. Site-Scoped Access
    https://news.example
    https://sub.news.example
    https://shop.example
    document.domain = "news.example"

    View Slide

  7. Turns out...
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  8. XSS
    "Welcome, alert(1);!"

    (More details from
    Sebastian Lekies this
    afternoon at 16:30)

    View Slide

  9. XSSI
    // https://victim.example/script
    var isLoggedIn = true;
    if (isLoggedIn) {
    // ...
    }
    (function () {
    var sekritData = 12345;
    globallyAccessibleFunction(sekritData);
    })();
    // Or, JSONP
    callback({"sekritData": 12345});

    View Slide

  10. XSSI
    Status-Quo
    Mitigations
    Serve static JavaScript.
    Make dynamic secrets difficult to execute, by:
    1.
    Prefixing responses with )]}'\n.
    2.
    Serving non-script responses (like HTML
    documents) with a non-script MIME type and
    X-Content-Type-Options: nosniff.

    View Slide

  11. CSRF

    View Slide

  12. CSRF
    Status-Quo
    Mitigations
    value="[sekrits go here]">
    Set-Cookie: csrf_token=sekrits; SameSite=Strict

    View Slide

  13. Framing

    View Slide

  14. Framing
    Status-Quo
    Mitigations
    // Headers
    Content-Security-Policy: frame-ancestors 'self'
    X-Frame-Options: SAMEORIGIN
    // JavaScript
    doSomeVerification(window.ancestorOrigins);
    new IntersectionObserver(..., ...)

    View Slide

  15. Framing
    Both

    and
    window.open()
    variants
    allows DOM access

    View Slide

  16. Loading
    Side-Effects
    Explicit Risks
    src="https://an.example/login.php?
    next=https%3A%2F%2Fan.example%2Fimg.png"
    onload="alert('Signed in!')"
    onerror="alert('Signed out!')"
    >

    View Slide

  17. Loading
    Side-Effects
    Implicit Risks

    View Slide

  18. Render
    Timing

    View Slide

  19. Turns out...
    (More details from clever
    V8 folks, tomorrow
    morning at 10:40)

    View Slide

  20. https://goo.gl/p5UrKw

    View Slide

  21. So, what's the plan?
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  22. Site Isolation
    (More details in the
    aforementioned talk
    tomorrow
    morning at 10:40, and in
    Parisa's closing keynote
    at 10:50 Wednesday) https://goo.gl/1p44Yt

    View Slide

  23. Why "Site"?
    https://goo.gl/NRCngd

    View Slide

  24. That's... going to take a
    while. What should we be
    doing today?
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  25. SameSite
    Cookies
    Mike West (Google)
    Mark Goodwin (Mozilla)
    https://goo.gl/tseFAa

    View Slide

  26. SameSite
    Cookies
    https://goo.gl/tseFAa
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Set-Cookie: sekrit=12345; SameSite=Strict

    View Slide

  27. Cross-Origin
    Read Blocking
    Łukasz Anforowicz (Google)
    Charlie Reis (Google)
    https://goo.gl/Pth6Kz

    View Slide

  28. Cross-Origin
    Resource
    Policy
    John Wilander (Apple)
    Anne van Kesteren (Mozilla)
    https://goo.gl/vBwgoh

    View Slide

  29. Cross-Origin
    Resource
    Policy
    https://goo.gl/vBwgoh
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Resource-Policy: same-site

    View Slide

  30. Cross-Origin
    Window Policy
    Ryosuke Niwa (Apple)
    https://github.com/whatwg/html/issues/3740

    View Slide

  31. Cross-Origin
    Window Policy
    https://goo.gl/vBwgoh
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Window-Policy: deny

    View Slide

  32. Sec-Metadata
    Mike West (Google)
    Artur Janc (Google)
    https://goo.gl/gUFnTf

    View Slide

  33. Sec-Metadata
    GET / HTTP/1.1
    Host: mikewest.org
    Connection: keep-alive
    ...
    Sec-Metadata: cause="user-activated",
    destination="document",
    site="same-origin",
    target="nested"
    ...
    https://goo.gl/gUFnTf

    View Slide

  34. Sec-Metadata
    https://goo.gl/gUFnTf

    View Slide

  35. Early Hints
    RFC8297:
    Kazuho Oku (Fastly)
    https://tools.ietf.org/html/rfc8297

    View Slide

  36. Early Hints
    RFC8297:
    Kazuho Oku (Fastly)
    https://tools.ietf.org/html/rfc8297
    HTTP/1.1 103 Early Hints
    Cross-Origin-Resource-Policy: same-site
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Resource-Policy: same-site
    ...

    View Slide

  37. Thanks for your time!
    Mike West, [email protected], @mikewest
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide