Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security PhD Summit @ Google Munich

Web Platform Security PhD Summit @ Google Munich

Web Platform Security. The threats browser vendors are exploring at the moment, and some mitigations thereof.

Mike West

June 25, 2018
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. A Site is a set of origins that share a

    registrable domain. https://example.com https://mikewest.github.io https://www.example.com https://sub.example.com https://sub.sub.example.com https://w3c.github.io
  2. XSSI // https://victim.example/script var isLoggedIn = true; if (isLoggedIn) {

    // ... } (function () { var sekritData = 12345; globallyAccessibleFunction(sekritData); })(); // Or, JSONP callback({"sekritData": 12345});
  3. XSSI Status-Quo Mitigations Serve static JavaScript. Make dynamic secrets difficult

    to execute, by: 1. Prefixing responses with )]}'\n. 2. Serving non-script responses (like HTML documents) with a non-script MIME type and X-Content-Type-Options: nosniff.
  4. Framing Status-Quo Mitigations // Headers Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN

    // JavaScript doSomeVerification(window.ancestorOrigins); new IntersectionObserver(..., ...)
  5. Site Isolation (More details in the aforementioned talk tomorrow morning

    at 10:40, and in Parisa's closing keynote at 10:50 Wednesday) https://goo.gl/1p44Yt
  6. That's... going to take a while. What should we be

    doing today? https://www.arturjanc.com/cross-origin-infoleaks.pdf
  7. SameSite Cookies https://goo.gl/tseFAa HTTP/1.1 200 OK Date: Fri, 26 May

    2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Set-Cookie: sekrit=12345; SameSite=Strict
  8. Cross-Origin Resource Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site
  9. Cross-Origin Window Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Window-Policy: deny
  10. Sec-Metadata GET / HTTP/1.1 Host: mikewest.org Connection: keep-alive ... Sec-Metadata:

    cause="user-activated", destination="document", site="same-origin", target="nested" ... https://goo.gl/gUFnTf
  11. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early

    Hints Cross-Origin-Resource-Policy: same-site HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site ...