Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security PhD Summit @ Google Munich

Web Platform Security PhD Summit @ Google Munich

Web Platform Security. The threats browser vendors are exploring at the moment, and some mitigations thereof.

Mike West
PRO

June 25, 2018
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Web Platform Security PhD Summit: Munich, June 2018 Threats. Mitigations.

    More. [email protected], @mikewest
  2. Fundamentals

  3. https://[host]:[port] An Origin. https://example.com https://news.example https://ads.example https://shop.example

  4. A Site is a set of origins that share a

    registrable domain. https://example.com https://mikewest.github.io https://www.example.com https://sub.example.com https://sub.sub.example.com https://w3c.github.io
  5. Same Origin Policy https://news.example https://ads.example https://shop.example

  6. Site-Scoped Access https://news.example https://sub.news.example https://shop.example document.domain = "news.example"

  7. Turns out... https://www.arturjanc.com/cross-origin-infoleaks.pdf

  8. XSS <p> "Welcome, <script>alert(1);</script>!" </p> (More details from Sebastian Lekies

    this afternoon at 16:30)
  9. XSSI // https://victim.example/script var isLoggedIn = true; if (isLoggedIn) {

    // ... } (function () { var sekritData = 12345; globallyAccessibleFunction(sekritData); })(); // Or, JSONP callback({"sekritData": 12345});
  10. XSSI Status-Quo Mitigations Serve static JavaScript. Make dynamic secrets difficult

    to execute, by: 1. Prefixing responses with )]}'\n. 2. Serving non-script responses (like HTML documents) with a non-script MIME type and X-Content-Type-Options: nosniff.
  11. CSRF

  12. CSRF Status-Quo Mitigations <input type="hidden" name="csrf_token" value="[sekrits go here]"> Set-Cookie:

    csrf_token=sekrits; SameSite=Strict
  13. Framing

  14. Framing Status-Quo Mitigations // Headers Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN

    // JavaScript doSomeVerification(window.ancestorOrigins); new IntersectionObserver(..., ...)
  15. Framing Both <iframe> and window.open() variants allows DOM access

  16. Loading Side-Effects Explicit Risks <img src="https://an.example/login.php? next=https%3A%2F%2Fan.example%2Fimg.png" onload="alert('Signed in!')" onerror="alert('Signed

    out!')" >
  17. Loading Side-Effects Implicit Risks

  18. Render Timing

  19. Turns out... (More details from clever V8 folks, tomorrow morning

    at 10:40)
  20. https://goo.gl/p5UrKw

  21. So, what's the plan? https://www.arturjanc.com/cross-origin-infoleaks.pdf

  22. Site Isolation (More details in the aforementioned talk tomorrow morning

    at 10:40, and in Parisa's closing keynote at 10:50 Wednesday) https://goo.gl/1p44Yt
  23. Why "Site"? https://goo.gl/NRCngd

  24. That's... going to take a while. What should we be

    doing today? https://www.arturjanc.com/cross-origin-infoleaks.pdf
  25. SameSite Cookies Mike West (Google) Mark Goodwin (Mozilla) https://goo.gl/tseFAa

  26. SameSite Cookies https://goo.gl/tseFAa HTTP/1.1 200 OK Date: Fri, 26 May

    2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Set-Cookie: sekrit=12345; SameSite=Strict
  27. Cross-Origin Read Blocking Łukasz Anforowicz (Google) Charlie Reis (Google) https://goo.gl/Pth6Kz

  28. Cross-Origin Resource Policy John Wilander (Apple) Anne van Kesteren (Mozilla)

    https://goo.gl/vBwgoh
  29. Cross-Origin Resource Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site
  30. Cross-Origin Window Policy Ryosuke Niwa (Apple) https://github.com/whatwg/html/issues/3740

  31. Cross-Origin Window Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Window-Policy: deny
  32. Sec-Metadata Mike West (Google) Artur Janc (Google) https://goo.gl/gUFnTf

  33. Sec-Metadata GET / HTTP/1.1 Host: mikewest.org Connection: keep-alive ... Sec-Metadata:

    cause="user-activated", destination="document", site="same-origin", target="nested" ... https://goo.gl/gUFnTf
  34. Sec-Metadata https://goo.gl/gUFnTf

  35. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297

  36. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early

    Hints Cross-Origin-Resource-Policy: same-site HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site ...
  37. Thanks for your time! Mike West, [email protected], @mikewest https://www.arturjanc.com/cross-origin-infoleaks.pdf