$30 off During Our Annual Pro Sale. View Details »

Web Platform Security PhD Summit @ Google Munich

Web Platform Security PhD Summit @ Google Munich

Web Platform Security. The threats browser vendors are exploring at the moment, and some mitigations thereof.

Mike West
PRO

June 25, 2018
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Web Platform Security
    PhD Summit: Munich, June 2018
    Threats. Mitigations. More.
    [email protected], @mikewest

    View Slide

  2. Fundamentals

    View Slide

  3. https://[host]:[port]
    An Origin.
    https://example.com https://news.example https://ads.example https://shop.example

    View Slide

  4. A Site is a set of origins that
    share a registrable domain.
    https://example.com https://mikewest.github.io
    https://www.example.com
    https://sub.example.com
    https://sub.sub.example.com https://w3c.github.io

    View Slide

  5. Same Origin Policy
    https://news.example
    https://ads.example
    https://shop.example

    View Slide

  6. Site-Scoped Access
    https://news.example
    https://sub.news.example
    https://shop.example
    document.domain = "news.example"

    View Slide

  7. Turns out...
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  8. XSS
    "Welcome, alert(1);!"

    (More details from
    Sebastian Lekies this
    afternoon at 16:30)

    View Slide

  9. XSSI
    // https://victim.example/script
    var isLoggedIn = true;
    if (isLoggedIn) {
    // ...
    }
    (function () {
    var sekritData = 12345;
    globallyAccessibleFunction(sekritData);
    })();
    // Or, JSONP
    callback({"sekritData": 12345});

    View Slide

  10. XSSI
    Status-Quo
    Mitigations
    Serve static JavaScript.
    Make dynamic secrets difficult to execute, by:
    1.
    Prefixing responses with )]}'\n.
    2.
    Serving non-script responses (like HTML
    documents) with a non-script MIME type and
    X-Content-Type-Options: nosniff.

    View Slide

  11. CSRF

    View Slide

  12. CSRF
    Status-Quo
    Mitigations
    value="[sekrits go here]">
    Set-Cookie: csrf_token=sekrits; SameSite=Strict

    View Slide

  13. Framing

    View Slide

  14. Framing
    Status-Quo
    Mitigations
    // Headers
    Content-Security-Policy: frame-ancestors 'self'
    X-Frame-Options: SAMEORIGIN
    // JavaScript
    doSomeVerification(window.ancestorOrigins);
    new IntersectionObserver(..., ...)

    View Slide

  15. Framing
    Both

    and
    window.open()
    variants
    allows DOM access

    View Slide

  16. Loading
    Side-Effects
    Explicit Risks
    src="https://an.example/login.php?
    next=https%3A%2F%2Fan.example%2Fimg.png"
    onload="alert('Signed in!')"
    onerror="alert('Signed out!')"
    >

    View Slide

  17. Loading
    Side-Effects
    Implicit Risks

    View Slide

  18. Render
    Timing

    View Slide

  19. Turns out...
    (More details from clever
    V8 folks, tomorrow
    morning at 10:40)

    View Slide

  20. https://goo.gl/p5UrKw

    View Slide

  21. So, what's the plan?
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  22. Site Isolation
    (More details in the
    aforementioned talk
    tomorrow
    morning at 10:40, and in
    Parisa's closing keynote
    at 10:50 Wednesday) https://goo.gl/1p44Yt

    View Slide

  23. Why "Site"?
    https://goo.gl/NRCngd

    View Slide

  24. That's... going to take a
    while. What should we be
    doing today?
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  25. SameSite
    Cookies
    Mike West (Google)
    Mark Goodwin (Mozilla)
    https://goo.gl/tseFAa

    View Slide

  26. SameSite
    Cookies
    https://goo.gl/tseFAa
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Set-Cookie: sekrit=12345; SameSite=Strict

    View Slide

  27. Cross-Origin
    Read Blocking
    Łukasz Anforowicz (Google)
    Charlie Reis (Google)
    https://goo.gl/Pth6Kz

    View Slide

  28. Cross-Origin
    Resource
    Policy
    John Wilander (Apple)
    Anne van Kesteren (Mozilla)
    https://goo.gl/vBwgoh

    View Slide

  29. Cross-Origin
    Resource
    Policy
    https://goo.gl/vBwgoh
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Resource-Policy: same-site

    View Slide

  30. Cross-Origin
    Window Policy
    Ryosuke Niwa (Apple)
    https://github.com/whatwg/html/issues/3740

    View Slide

  31. Cross-Origin
    Window Policy
    https://goo.gl/vBwgoh
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Window-Policy: deny

    View Slide

  32. Sec-Metadata
    Mike West (Google)
    Artur Janc (Google)
    https://goo.gl/gUFnTf

    View Slide

  33. Sec-Metadata
    GET / HTTP/1.1
    Host: mikewest.org
    Connection: keep-alive
    ...
    Sec-Metadata: cause="user-activated",
    destination="document",
    site="same-origin",
    target="nested"
    ...
    https://goo.gl/gUFnTf

    View Slide

  34. Sec-Metadata
    https://goo.gl/gUFnTf

    View Slide

  35. Early Hints
    RFC8297:
    Kazuho Oku (Fastly)
    https://tools.ietf.org/html/rfc8297

    View Slide

  36. Early Hints
    RFC8297:
    Kazuho Oku (Fastly)
    https://tools.ietf.org/html/rfc8297
    HTTP/1.1 103 Early Hints
    Cross-Origin-Resource-Policy: same-site
    HTTP/1.1 200 OK
    Date: Fri, 26 May 2018 10:02:11 GMT
    Content-Length: 1234
    Content-Type: text/html; charset=utf-8
    Cross-Origin-Resource-Policy: same-site
    ...

    View Slide

  37. Thanks for your time!
    Mike West, [email protected], @mikewest
    https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide