Web Platform Security CMS Security Summit, Feb. 2020 Mike West NOT A DIRECTOR, CHROME SECURITY [email protected] 

Google Vulnerability Reward Program payouts in 2018 youtu.be/DDtM9caQ97I 

bit.ly/post-spectre-threat-model 

Injection and Isolation are our focus in 2020. 

Injection 

const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `` // `https://example.com#tplid=">` => // `https://example.com?name=alert(1)` => DOM XSS Reflected XSS 

Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-{random}' 'strict-dynamic' ...; Strict CSP bit.ly/strict-csp 

Strict CSP bit.ly/strict-csp Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG' 'strict-dynamic' …; doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. /* This will not execute. */ /* Nor this. */ /* Nor this. */ 

Trusted Types research.google/pubs/pub42934 

Trusted Types bit.ly/tt-introduction bit.ly/tt-spec 

let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript: (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types bit.ly/tt-introduction bit.ly/tt-spec 

Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", { createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "https://example.site/a.html", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types bit.ly/tt-introduction bit.ly/tt-spec 

Scripting-Policy: nonce="ABCDEFG", require-trusted-types-for=(script) Scripting Policy (WIP) bit.ly/scripting-policy 

Isolation 

No content

No content

No content

No content

Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin a.com/js a.com sub.a.com b.com bit.ly/corp-spec 

Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-site a.com/js a.com sub.a.com b.com bit.ly/corp-spec 

Cross-Origin Resource Policy bit.ly/corp-spec Cross-Origin-Resource-Policy: cross-site a.com/js a.com sub.a.com b.com 

Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin bit.ly/corp-spec 

Please, set CORP headers for known cross-site responses. 

Cross-Origin Embedder Policy bit.ly/coep-spec Cross-Origin-Embedder-Policy: require-corp a.com a.com sub.a.com b.com CORP: same-origin CORP: same-site CORP: cross-site b.com 

COEP will be required when using APIs that amplify side-channel attacks. 

// Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 // Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata bit.ly/fm-spec bit.ly/fm-policies Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy bit.ly/coop-spec 

Securer Contexts (WIP) 

TLS is an insufficient baseline in 2020. Isolation is critical. bit.ly/securer-contexts 

Thanks! @mikewest [email protected]