Web Platform Security @ CMS Security Summit 2020

Transcript

1. Web Platform Security CMS Security Summit, Feb. 2020 Mike West

   NOT A DIRECTOR, CHROME SECURITY [email protected]

2. Google Vulnerability Reward Program payouts in 2018 youtu.be/DDtM9caQ97I

3. bit.ly/post-spectre-threat-model

4. Injection and Isolation are our focus in 2020.

5. Injection

6. const templateId = location.hash.match(/tplid=([^;&]*)/)[1]; document.head.innerHTML += `<link rel="stylesheet" href="/${templateId}/style.css">` //

   `https://example.com#tplid="><img src=x onerror=alert(1)>` => <?php echo "Hello, {$_GET['name']}!" ?> // `https://example.com?name=<script>alert(1)</script>` => DOM XSS Reflected XSS

7. Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-{random}' 'strict-dynamic' ...; Strict

   CSP bit.ly/strict-csp

8. Strict CSP bit.ly/strict-csp Content-Security-Policy: object-src 'none'; base-uri 'none'; script-src 'nonce-ABCDEFG'

   'strict-dynamic' …; <script id="1" nonce="ABCDEFG"> doAmazingThings("yay"); // Executes. let s = document.createElement('script'); s.src = "/script.js"; document.body.appendChild(s); // Executes. </script> <script id="2">/* This will not execute. */</script> <script id="3" nonce="BOO">/* Nor this. */</script> <embed src="/flash.swf">/* Nor this. */</script> <base href="https://evil.com/" nor="this" />

9. Trusted Types research.google/pubs/pub42934

10. Trusted Types bit.ly/tt-introduction bit.ly/tt-spec

11. let p = trustedTypes.createPolicy("my-policy", { createHTML: (i) => sanitizerGoesHere(i), createScript:

    (i) => anotherSanitizer(i), createScriptURL: (i) => allowedURLs(i) }); myDiv.innerHTML = p.createHTML(userInput); eval(p.createScript(moreInput)); scriptEl.src = p.createScriptURL(evenMore); Content-Security-Policy: ... require-trusted-types-for 'script'; trusted-types my-awesome-policy; Trusted Types bit.ly/tt-introduction bit.ly/tt-spec

12. Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri ...; let p = trustedTypes.createPolicy("my-policy", {

    createHTML: a=>a, createScript: a=>a, createScriptURL: a=>a }); {"csp-report":{... "violated-directive": "require-trusted-types-for", "blocked-uri": "trusted-types-sink", "line-number": 128, "column-number": 73, "source-file": "https://example.site/a.html", "script-sample": "Element.innerHTML console.log('Hello');", ...}} Trusted Types bit.ly/tt-introduction bit.ly/tt-spec

13. Scripting-Policy: nonce="ABCDEFG", require-trusted-types-for=(script) Scripting Policy (WIP) bit.ly/scripting-policy

14. Isolation

15. None
16. None
17. None
18. None

19. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin a.com/js a.com sub.a.com b.com bit.ly/corp-spec

20. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-site a.com/js a.com sub.a.com b.com bit.ly/corp-spec

21. Cross-Origin Resource Policy bit.ly/corp-spec Cross-Origin-Resource-Policy: cross-site a.com/js a.com sub.a.com b.com

22. Cross-Origin Resource Policy Cross-Origin-Resource-Policy: same-origin bit.ly/corp-spec

23. Please, set CORP headers for known cross-site responses.

24. Cross-Origin Embedder Policy bit.ly/coep-spec Cross-Origin-Embedder-Policy: require-corp a.com a.com sub.a.com b.com

    CORP: same-origin CORP: same-site CORP: cross-site b.com

25. COEP will be required when using APIs that amplify side-channel

    attacks.

26. // Top-level navigation Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User:

    ?1 // <img> Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site Fetch Metadata bit.ly/fm-spec bit.ly/fm-policies Artur Janc 10:00ish tomorrow. Cross-Origin-Opener-Policy: same-origin; report-to=endpoint Cross-Origin Opener Policy bit.ly/coop-spec

27. Securer Contexts (WIP)

28. TLS is an insufficient baseline in 2020. Isolation is critical.

    bit.ly/securer-contexts

29. Thanks! @mikewest [email protected]