Slide 1
Slide 1 text
Kick those
to the sandbox
Andrew Dunkman
@adunkman
Slide 2
Slide 2 text
1
Trust
and
security
on the
web
2
Malvertising
& the
principle
of least
privilege
3
extending
the
browser
sandbox
Slide 3
Slide 3 text
1
Trust and security
on the web
Download this app!
Slide 4
Slide 4 text
1
Trust and security
on the web
Download this app!
Slide 5
Slide 5 text
1
Trust and security
on the web
Download this app!
Slide 6
Slide 6 text
1
Trust and security
on the web
Download this app!
Slide 7
Slide 7 text
1
Trust and security
on the web
Go to this site!
https://www.google.com
Slide 8
Slide 8 text
1
Trust and security
on the web
Go to this site!
https://www.weather.gov
Slide 9
Slide 9 text
1
Trust and security
on the web
Go to this site!
https://rebecca.blackfriday
Slide 10
Slide 10 text
1
Trust and security
on the web
Go to this site!
https://.la
Slide 11
Slide 11 text
1
Trust and security
on the web
Slide 12
Slide 12 text
1
Trust and security
on the web
Web security model basics
Site scripts cannot access sensitive parts of your device.
Downloaded content can’t be too large, and can be
deleted at any time.
Pages and scripts on the same site can communicate,
but cannot communicate with different sites.
Sandbox’d!
Slide 13
Slide 13 text
1
Trust and security
on the web
Web security has changed over time
Web security is always changing as the world changes
how the internet is used.
You’re responsible for protecting those less technically
literate.
Slide 14
Slide 14 text
1
Trust and security
on the web
Instant Heart Rate: HR Monitor
Flo Health Inc.’s Flo Period & Ovulation Tracker
Slide 15
Slide 15 text
1
Trust and security
on the web
cross-site scripting attacks
Malicious third-party scripts running in a trusted page.
Advertising and social media embeds
Malicious third-party scripts running in a trusted page.
NON
Slide 16
Slide 16 text
1
Trust
and
security
on the
web
2
Malvertising
& the
principle
of least
privilege
3
extending
the
browser
sandbox
Slide 17
Slide 17 text
2
Malvertising
& The principle of least privilege
malvertising
Malware (malicious software) advertising — when a
trusted third-party script betrays that trust.
Slide 18
Slide 18 text
2
Malvertising
& The principle of least privilege
the power of the browser
We don’t often see the power we’re granting to third party
scripts.
theannoyingsite.com
Slide 19
Slide 19 text
2
Malvertising
& The principle of least privilege
Slide 20
Slide 20 text
2
Malvertising
& The principle of least privilege
the principle of least privilege
If you have trustworthy neighbors, do they have your
house keys? Do they have everyone’s house keys?
If you have a trustworthy application, do they have
access to data from other applications? The ability to
delete all your photos?
Slide 21
Slide 21 text
2
Malvertising
& The principle of least privilege
Do you follow this principle?
Unless you limit them, third-party scripts have control to
do horrible things to people.
You are responsible for what they do.
Slide 22
Slide 22 text
1
Trust
and
security
on the
web
2
Malvertising
& the
principle
of least
privilege
3
extending
the
browser
sandbox
Slide 23
Slide 23 text
3
Extending the
browser sandbox
by default, share and allow everything
Backwards compatibility is one of the web’s biggest
constraints.
Tighter security is opt-in, which is taken advantage of by
malicious sites and advertisers.
Slide 24
Slide 24 text
3
Extending the
browser sandbox
don’t share session data
By default, cookies are shared with third-party scripts
within your sandbox.
This can be prevented by hiding cookies from JavaScript.
Set-Cookie: user=wero2oi34jlksdf; path=/; HttpOnly
Slide 25
Slide 25 text
3
Extending the
browser sandbox
Don’t share where you’ve been
By default, the current URL is provided to the next page
and embedded frames.
This can be prevented by implementing a Referrer-Policy.
Referrer-Policy: no-referrer
Slide 26
Slide 26 text
3
Extending the
browser sandbox
Referrer-policy settings
no-referrer
no-referrer-when-downgrade
origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
Slide 27
Slide 27 text
3
Extending the
browser sandbox
Don’t allow certain behaviors
All behaviors are enabled by default, but can be disabled
by specifying an allow-list.
Content-Security-Policy: sandbox allow-scripts allow-
same-origin allow-popups
Slide 28
Slide 28 text
3
Extending the
browser sandbox
sandbox settings
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
allow-popups-to-escape-sandbox
allow-presentation
allow-same-origin
allow-scripts
allow-storage-access-by-user-activation
allow-top-navigation
allow-top-navigation-by-user-activation
Slide 29
Slide 29 text
3
Extending the
browser sandbox
sandbox settings
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
allow-popups-to-escape-sandbox
allow-presentation
allow-same-origin
allow-scripts
allow-storage-access-by-user-activation
allow-top-navigation
allow-top-navigation-by-user-activation
Slide 30
Slide 30 text
3
Extending the
browser sandbox
sandbox settings
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
allow-popups-to-escape-sandbox
allow-presentation
allow-same-origin
allow-scripts
allow-storage-access-by-user-activation
allow-top-navigation
allow-top-navigation-by-user-activation
Slide 31
Slide 31 text
3
Extending the
browser sandbox
sandbox settings
allow-forms
allow-modals
allow-orientation-lock
allow-pointer-lock
allow-popups
allow-popups-to-escape-sandbox
allow-presentation
allow-same-origin
allow-scripts
allow-storage-access-by-user-activation
allow-top-navigation
allow-top-navigation-by-user-activation
Slide 32
Slide 32 text
3
Extending the
browser sandbox
Don’t allow unexpected domains
The browser will load scripts, fonts, videos, and all other
content from anywhere by default.
Instead, an allow-list can be specified.
Content-Security-Policy: default-src 'self'
*.googleanalytics.com
Slide 33
Slide 33 text
3
Extending the
browser sandbox
content-security-policy settings
default-src
connect-src
font-src
frame-src
img-src
manifest-src
media-src
object-src
script-src
style-src
worker-src
report-uri
Slide 34
Slide 34 text
3
Extending the
browser sandbox
content-security-policy settings
default-src
connect-src
font-src
frame-src
img-src
manifest-src
media-src
object-src
script-src
style-src
worker-src
report-uri
Slide 35
Slide 35 text
3
Extending the
browser sandbox
content-security-policy settings
default-src
connect-src
font-src
frame-src
img-src
manifest-src
media-src
object-src
script-src
style-src
worker-src
report-uri
Slide 36
Slide 36 text
3
Extending the
browser sandbox
content-security-policy settings
default-src
connect-src
font-src
frame-src
img-src
manifest-src
media-src
object-src
script-src
style-src
worker-src
report-uri
Slide 37
Slide 37 text
3
Extending the
browser sandbox
don’t allow browser features
By default, anything the browser can do is allowed.
Instead, an allow-list can be specified.
Feature-Policy: autoplay 'none'; geolocation ‘none'
Slide 38
Slide 38 text
3
Extending the
browser sandbox
Feature-policy settings
autoplay
camera
document-domain
encrypted-media
fullscreen
geolocation
microphone
midi
payment
vr
vibrate
accelerometer
ambient-light-sensor
gyroscope
layout-animations
legacy-image-formats
magnetometer
oversized-images
picture-in-picture
speaker
sync-xhr
unoptimized-images
unsized-media
usb
Slide 39
Slide 39 text
3
Extending the
browser sandbox
Applying these techniques
Interest in this area began with a site with a tight
Content-Security-Policy and Twitter…
Do I want to give Twitter control of my site’s users?
Slide 40
Slide 40 text
3
Extending the
browser sandbox
Crazy ideas!?
Using limited VirtualDOM diffing with a WebWorker —
maybe impossible, but maybe magic.
Slide 41
Slide 41 text
web security is
your responsibility
to opt-in to Please do it