Web Platform Security PhD Summit @ Google Munich

Web Platform Security PhD Summit @ Google Munich

Web Platform Security. The threats browser vendors are exploring at the moment, and some mitigations thereof.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West

June 25, 2018
Tweet

Transcript

  1. Web Platform Security PhD Summit: Munich, June 2018 Threats. Mitigations.

    More. mkwst@google.com, @mikewest
  2. Fundamentals

  3. https://[host]:[port] An Origin. https://example.com https://news.example https://ads.example https://shop.example

  4. A Site is a set of origins that share a

    registrable domain. https://example.com https://mikewest.github.io https://www.example.com https://sub.example.com https://sub.sub.example.com https://w3c.github.io
  5. Same Origin Policy https://news.example https://ads.example https://shop.example

  6. Site-Scoped Access https://news.example https://sub.news.example https://shop.example document.domain = "news.example"

  7. Turns out... https://www.arturjanc.com/cross-origin-infoleaks.pdf

  8. XSS <p> "Welcome, <script>alert(1);</script>!" </p> (More details from Sebastian Lekies

    this afternoon at 16:30)
  9. XSSI // https://victim.example/script var isLoggedIn = true; if (isLoggedIn) {

    // ... } (function () { var sekritData = 12345; globallyAccessibleFunction(sekritData); })(); // Or, JSONP callback({"sekritData": 12345});
  10. XSSI Status-Quo Mitigations Serve static JavaScript. Make dynamic secrets difficult

    to execute, by: 1. Prefixing responses with )]}'\n. 2. Serving non-script responses (like HTML documents) with a non-script MIME type and X-Content-Type-Options: nosniff.
  11. CSRF

  12. CSRF Status-Quo Mitigations <input type="hidden" name="csrf_token" value="[sekrits go here]"> Set-Cookie:

    csrf_token=sekrits; SameSite=Strict
  13. Framing

  14. Framing Status-Quo Mitigations // Headers Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN

    // JavaScript doSomeVerification(window.ancestorOrigins); new IntersectionObserver(..., ...)
  15. Framing Both <iframe> and window.open() variants allows DOM access

  16. Loading Side-Effects Explicit Risks <img src="https://an.example/login.php? next=https%3A%2F%2Fan.example%2Fimg.png" onload="alert('Signed in!')" onerror="alert('Signed

    out!')" >
  17. Loading Side-Effects Implicit Risks

  18. Render Timing

  19. Turns out... (More details from clever V8 folks, tomorrow morning

    at 10:40)
  20. https://goo.gl/p5UrKw

  21. So, what's the plan? https://www.arturjanc.com/cross-origin-infoleaks.pdf

  22. Site Isolation (More details in the aforementioned talk tomorrow morning

    at 10:40, and in Parisa's closing keynote at 10:50 Wednesday) https://goo.gl/1p44Yt
  23. Why "Site"? https://goo.gl/NRCngd

  24. That's... going to take a while. What should we be

    doing today? https://www.arturjanc.com/cross-origin-infoleaks.pdf
  25. SameSite Cookies Mike West (Google) Mark Goodwin (Mozilla) https://goo.gl/tseFAa

  26. SameSite Cookies https://goo.gl/tseFAa HTTP/1.1 200 OK Date: Fri, 26 May

    2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Set-Cookie: sekrit=12345; SameSite=Strict
  27. Cross-Origin Read Blocking Łukasz Anforowicz (Google) Charlie Reis (Google) https://goo.gl/Pth6Kz

  28. Cross-Origin Resource Policy John Wilander (Apple) Anne van Kesteren (Mozilla)

    https://goo.gl/vBwgoh
  29. Cross-Origin Resource Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site
  30. Cross-Origin Window Policy Ryosuke Niwa (Apple) https://github.com/whatwg/html/issues/3740

  31. Cross-Origin Window Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Window-Policy: deny
  32. Sec-Metadata Mike West (Google) Artur Janc (Google) https://goo.gl/gUFnTf

  33. Sec-Metadata GET / HTTP/1.1 Host: mikewest.org Connection: keep-alive ... Sec-Metadata:

    cause="user-activated", destination="document", site="same-origin", target="nested" ... https://goo.gl/gUFnTf
  34. Sec-Metadata https://goo.gl/gUFnTf

  35. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297

  36. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early

    Hints Cross-Origin-Resource-Policy: same-site HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site ...
  37. Thanks for your time! Mike West, mkwst@google.com, @mikewest https://www.arturjanc.com/cross-origin-infoleaks.pdf