Isolation by Default

December 01, 2020

1.7k

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West
PRO

December 01, 2020

More Decks by Mike West

See All by Mike West

W3C Permissions Workshop - 2022-12-05

mikewest

PRO

100

The Web We Can Ship

mikewest

PRO

440

Web Platform Security @ CMS Security Summit 2020

mikewest

PRO

2.8k

Web Platform Security @ TechDays 2019

mikewest

PRO

160

Cookies are bad @ HTTP Workshop 2019

mikewest

PRO

410

Web Platform Security @ CMS Security Summit

mikewest

PRO

110

Web Platform Security PhD Summit @ Google Munich

mikewest

PRO

890

BSides Munich

mikewest

PRO

320

Hardening the Web Platform - AppSec EU, 2016

mikewest

PRO

1.4k

Other Decks in Programming

See All in Programming

2万ページのSSG運用における工夫と注意点 / Vue Fes Japan 2024

chinen

1.3k

[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리

beomi

110

ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF

twada

PRO

ECSのサービス間通信 4つの方法を比較する〜Canary,Blue/Greenも添えて〜

tkikuc

2.3k

PagerDuty を軸にした On-Call 構築と運用課題の解決 / PagerDuty Japan Community Meetup 4

horimislime

110

約9000個の自動テストの時間を50分->10分に短縮 Flakyテストを1%以下に抑えた話

hatsu38

11k

CPython 인터프리터 구조 파헤치기 - PyCon Korea 24

kennethanceyer

240

Synchronizationを支える技術

s_shimotori

150

AWS IaCの注目アップデート 2024年10月版

konokenj

3.1k

ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる

tkikuc

210

Googleのテストサイズを活用したテスト環境の構築

toms74209200

270

Vue SFCのtemplateでTypeScriptの型を活用しよう

tsukkee

1.5k

Featured

See All Featured

Docker and Python

trallard

3.1k

How to train your dragon (web standard)

notwaldorf

5.7k

4 Signs Your Business is Dying

shpigford

180

21k

Creating an realtime collaboration tool: Agile Flush - .NET Oxford

marcduiker

1.8k

Git: the NoSQL Database

bkeepers

PRO

425

64k

Raft: Consensus for Rubyists

vanstee

136

6.6k

Writing Fast Ruby

sferik

626

61k

Fontdeck: Realign not Redesign

paulrobertlloyd

5.2k

Mobile First: as difficult as doing things right

swwweet

222

8.9k

How to Create Impact in a Changing Tech Landscape [PerfNow 2023]

tammyeverts

2.1k

Practical Tips for Bootstrapping Information Extraction Pipelines

honnibal

PRO

680

Building Flexible Design Systems

yeseniaperezcruz

327

38k

Transcript

Isolation by Default XSLeaks Summit 2020-12-01 — Camille Lamy &
Mike West
Status quo ante:
Status quo: Well-informed developers will adopt CORP, XFO, COOP, and
COEP. Less-informed developers remain vulnerable.
The Future? Browsers will isolate documents by default. Developers who
require cross-origin collaboration can opt-out of isolation.
A Few Modest Proposals User agents should: 1. Apply COOP:
same-origin-allow-popups by default: https://github.com/mikewest/coop-by-default/ 2. Require embedees to opt-into framing rather than out of it: https://github.com/mikewest/embedding-requires-opt-in/ 3. Deprecate and remove impediments to origin isolation by default (most notably document.domain: https://github.com/mikewest/deprecating-document-domain)
A Few More Modest Proposals User agents should: 4. Require
opt-in for communication across network boundaries: https://wicg.github.io/cors-rfc1918/ 5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand, COEP: x-bikeshed-credentialless-unless-cors on the other): https://github.com/mikewest/credentiallessness/ 6. Strict MIME type checking, in conjunction with CORB/ORB.
What else should we try to break ﬁx?