Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No privilege, no risk - Devoxx 2013

Mike West
November 14, 2013

No privilege, no risk - Devoxx 2013

Mike West

November 14, 2013
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. @mikewest #DV13-security No privilege, no risk A client-side security cornucopia

    Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides: https://mkw.st/r/devoxx13
  2. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->
  3. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net
  4. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi
  5. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }
  6. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clckr">Click me!</button> <a href="#"

    class="clckr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }
  7. Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script nonce="afbvjn+afpo-j1qer"> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>
  8. Content-Security-Policy: script-src 'sha256-afbvjn+...afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>
  9. <iframe src="page.html" sandbox></iframe> <!-- * Unique origin * No plugins.

    * No script. * No form submissions. * No top-level navigation. * No popups. * No autoplay. * No pointer lock. * No seamless iframes. -->
  10. <script> var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, '*'); window.addEventListener('message', function (e)

    { if (e.origin === "null" && e.source === frame.contentWindow) // Do something amazing in response! }); </script>
  11. <script> window.addEventListener('message', function (e) { if (e.origin !== window.location.origin) return;

    // Do something amazing in response! e.source.postMessage(result, e.origin); }); </script>
  12. <script> var channel = new MessageChannel(); // channel.port1 <-> channel.port2

    frame.contentWindow.postMessage( 'init', '*', [ channel.port2 ]); channel.port1.postMessage(message); channel.port1.addEventListener('message', ...); </script>