Web Platform Security PhD Summit @ Google Munich

Slide 1

Slide 1 text

Web Platform Security PhD Summit: Munich, June 2018 Threats. Mitigations. More. [email protected], @mikewest

Slide 2

Slide 2 text

Fundamentals

Slide 3

Slide 3 text

https://[host]:[port] An Origin. https://example.com https://news.example https://ads.example https://shop.example

Slide 4

Slide 4 text

A Site is a set of origins that share a registrable domain. https://example.com https://mikewest.github.io https://www.example.com https://sub.example.com https://sub.sub.example.com https://w3c.github.io

Slide 5

Slide 5 text

Same Origin Policy https://news.example https://ads.example https://shop.example

Slide 6

Slide 6 text

Site-Scoped Access https://news.example https://sub.news.example https://shop.example document.domain = "news.example"

Slide 7

Slide 7 text

Turns out... https://www.arturjanc.com/cross-origin-infoleaks.pdf

Slide 8

Slide 8 text

XSS

"Welcome, alert(1);!"

(More details from Sebastian Lekies this afternoon at 16:30)

Slide 9

Slide 9 text

XSSI // https://victim.example/script var isLoggedIn = true; if (isLoggedIn) { // ... } (function () { var sekritData = 12345; globallyAccessibleFunction(sekritData); })(); // Or, JSONP callback({"sekritData": 12345});

Slide 10

Slide 10 text

XSSI Status-Quo Mitigations Serve static JavaScript. Make dynamic secrets difficult to execute, by: 1. Prefixing responses with )]}'\n. 2. Serving non-script responses (like HTML documents) with a non-script MIME type and X-Content-Type-Options: nosniff.

Slide 11

Slide 11 text

CSRF

Slide 12

Slide 12 text

CSRF Status-Quo Mitigations Set-Cookie: csrf_token=sekrits; SameSite=Strict

Slide 13

Slide 13 text

Framing

Slide 14

Slide 14 text

Framing Status-Quo Mitigations // Headers Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN // JavaScript doSomeVerification(window.ancestorOrigins); new IntersectionObserver(..., ...)

Slide 15

Slide 15 text

Framing Both and window.open() variants allows DOM access

Slide 16

Slide 16 text

Loading Side-Effects Explicit Risks

Slide 17

Slide 17 text

Loading Side-Effects Implicit Risks

Slide 18

Slide 18 text

Render Timing

Slide 19

Slide 19 text

Turns out... (More details from clever V8 folks, tomorrow morning at 10:40)

Slide 20

Slide 20 text

https://goo.gl/p5UrKw

Slide 21

Slide 21 text

So, what's the plan? https://www.arturjanc.com/cross-origin-infoleaks.pdf

Slide 22

Slide 22 text

Site Isolation (More details in the aforementioned talk tomorrow morning at 10:40, and in Parisa's closing keynote at 10:50 Wednesday) https://goo.gl/1p44Yt

Slide 23

Slide 23 text

Why "Site"? https://goo.gl/NRCngd

Slide 24

Slide 24 text

That's... going to take a while. What should we be doing today? https://www.arturjanc.com/cross-origin-infoleaks.pdf

Slide 25

Slide 25 text

SameSite Cookies Mike West (Google) Mark Goodwin (Mozilla) https://goo.gl/tseFAa

Slide 26

Slide 26 text

SameSite Cookies https://goo.gl/tseFAa HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Set-Cookie: sekrit=12345; SameSite=Strict

Slide 27

Slide 27 text

Cross-Origin Read Blocking Łukasz Anforowicz (Google) Charlie Reis (Google) https://goo.gl/Pth6Kz

Slide 28

Slide 28 text

Cross-Origin Resource Policy John Wilander (Apple) Anne van Kesteren (Mozilla) https://goo.gl/vBwgoh

Slide 29

Slide 29 text

Cross-Origin Resource Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site

Slide 30

Slide 30 text

Cross-Origin Window Policy Ryosuke Niwa (Apple) https://github.com/whatwg/html/issues/3740

Slide 31

Slide 31 text

Cross-Origin Window Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Window-Policy: deny

Slide 32

Slide 32 text

Sec-Metadata Mike West (Google) Artur Janc (Google) https://goo.gl/gUFnTf

Slide 33

Slide 33 text

Sec-Metadata GET / HTTP/1.1 Host: mikewest.org Connection: keep-alive ... Sec-Metadata: cause="user-activated", destination="document", site="same-origin", target="nested" ... https://goo.gl/gUFnTf

Slide 34

Slide 34 text

Sec-Metadata https://goo.gl/gUFnTf

Slide 35

Slide 35 text

Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297

Slide 36

Slide 36 text

Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early Hints Cross-Origin-Resource-Policy: same-site HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site ...

Slide 37

Slide 37 text

Thanks for your time! Mike West, [email protected], @mikewest https://www.arturjanc.com/cross-origin-infoleaks.pdf