Isolation by Default

December 01, 2020

1.8k

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West
PRO

December 01, 2020

More Decks by Mike West

See All by Mike West

W3C Permissions Workshop - 2022-12-05

mikewest

PRO

100

The Web We Can Ship

mikewest

PRO

450

Web Platform Security @ CMS Security Summit 2020

mikewest

PRO

2.8k

Web Platform Security @ TechDays 2019

mikewest

PRO

160

Cookies are bad @ HTTP Workshop 2019

mikewest

PRO

410

Web Platform Security @ CMS Security Summit

mikewest

PRO

110

Web Platform Security PhD Summit @ Google Munich

mikewest

PRO

900

BSides Munich

mikewest

PRO

320

Hardening the Web Platform - AppSec EU, 2016

mikewest

PRO

1.4k

Other Decks in Programming

See All in Programming

Jakarta EE meets AI

ivargrimstad

590

Duckdb-Wasmでローカルダッシュボードを作ってみた

nkforwork

130

見せてあげますよ、「本物のLaravel批判」ってやつを。

77web

7.8k

役立つログに取り組もう

irof

9.6k

Generative AI Use Cases JP (略称:GenU)奮闘記

hideg

300

ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる

tkikuc

250

型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request

euxn23

2.2k

EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM

nashiusagi

100

エンジニアとして関わる要件と仕様(公開用)

murabayashi

300

シェーダーで魅せるMapLibreの動的ラスタータイル

satoshi7190

480

Micro Frontends Unmasked Opportunities, Challenges, Alternatives

manfredsteyer

PRO

110

Click-free releases & the making of a CLI app

oheyadam

120

Featured

See All Featured

Faster Mobile Websites

deanohume

305

30k

The Success of Rails: Ensuring Growth for the Next 100 Years

eileencodes

6.8k

Side Projects

sachag

452

42k

Refactoring Trust on Your Teams (GOTO; Chicago 2020)

rmw

2.7k

Practical Tips for Bootstrapping Information Extraction Pipelines

honnibal

PRO

720

Why Our Code Smells

bkeepers

PRO

334

57k

Understanding Cognitive Biases in Performance Measurement

bluesmoon

1.4k

No one is an island. Learnings from fostering a developers community.

thoeni

Principles of Awesome APIs and How to Build Them.

keavy

126

17k

[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails

eileencodes

1.9k

Building Better People: How to give real-time feedback that sticks.

wjessup

364

19k

Docker and Python

trallard

3.1k

Transcript

Isolation by Default XSLeaks Summit 2020-12-01 — Camille Lamy &
Mike West
Status quo ante:
Status quo: Well-informed developers will adopt CORP, XFO, COOP, and
COEP. Less-informed developers remain vulnerable.
The Future? Browsers will isolate documents by default. Developers who
require cross-origin collaboration can opt-out of isolation.
A Few Modest Proposals User agents should: 1. Apply COOP:
same-origin-allow-popups by default: https://github.com/mikewest/coop-by-default/ 2. Require embedees to opt-into framing rather than out of it: https://github.com/mikewest/embedding-requires-opt-in/ 3. Deprecate and remove impediments to origin isolation by default (most notably document.domain: https://github.com/mikewest/deprecating-document-domain)
A Few More Modest Proposals User agents should: 4. Require
opt-in for communication across network boundaries: https://wicg.github.io/cors-rfc1918/ 5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand, COEP: x-bikeshed-credentialless-unless-cors on the other): https://github.com/mikewest/credentiallessness/ 6. Strict MIME type checking, in conjunction with CORB/ORB.
What else should we try to break ﬁx?