Web Platform Security PhD Summit @ Google Munich

Transcript

1. Web Platform Security PhD Summit: Munich, June 2018 Threats. Mitigations.

   More. [email protected], @mikewest

2. Fundamentals

3. https://[host]:[port] An Origin. https://example.com https://news.example https://ads.example https://shop.example

4. A Site is a set of origins that share a

   registrable domain. https://example.com https://mikewest.github.io https://www.example.com https://sub.example.com https://sub.sub.example.com https://w3c.github.io

5. Same Origin Policy https://news.example https://ads.example https://shop.example

6. Site-Scoped Access https://news.example https://sub.news.example https://shop.example document.domain = "news.example"

7. Turns out... https://www.arturjanc.com/cross-origin-infoleaks.pdf

8. XSS <p> "Welcome, <script>alert(1);</script>!" </p> (More details from Sebastian Lekies

   this afternoon at 16:30)

9. XSSI // https://victim.example/script var isLoggedIn = true; if (isLoggedIn) {

   // ... } (function () { var sekritData = 12345; globallyAccessibleFunction(sekritData); })(); // Or, JSONP callback({"sekritData": 12345});

10. XSSI Status-Quo Mitigations Serve static JavaScript. Make dynamic secrets difficult

    to execute, by: 1. Prefixing responses with )]}'\n. 2. Serving non-script responses (like HTML documents) with a non-script MIME type and X-Content-Type-Options: nosniff.

11. CSRF

12. CSRF Status-Quo Mitigations <input type="hidden" name="csrf_token" value="[sekrits go here]"> Set-Cookie:

    csrf_token=sekrits; SameSite=Strict

13. Framing

14. Framing Status-Quo Mitigations // Headers Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN

    // JavaScript doSomeVerification(window.ancestorOrigins); new IntersectionObserver(..., ...)

15. Framing Both <iframe> and window.open() variants allows DOM access

16. Loading Side-Effects Explicit Risks <img src="https://an.example/login.php? next=https%3A%2F%2Fan.example%2Fimg.png" onload="alert('Signed in!')" onerror="alert('Signed

    out!')" >

17. Loading Side-Effects Implicit Risks

18. Render Timing

19. Turns out... (More details from clever V8 folks, tomorrow morning

    at 10:40)

20. https://goo.gl/p5UrKw

21. So, what's the plan? https://www.arturjanc.com/cross-origin-infoleaks.pdf

22. Site Isolation (More details in the aforementioned talk tomorrow morning

    at 10:40, and in Parisa's closing keynote at 10:50 Wednesday) https://goo.gl/1p44Yt

23. Why "Site"? https://goo.gl/NRCngd

24. That's... going to take a while. What should we be

    doing today? https://www.arturjanc.com/cross-origin-infoleaks.pdf

25. SameSite Cookies Mike West (Google) Mark Goodwin (Mozilla) https://goo.gl/tseFAa

26. SameSite Cookies https://goo.gl/tseFAa HTTP/1.1 200 OK Date: Fri, 26 May

    2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Set-Cookie: sekrit=12345; SameSite=Strict

27. Cross-Origin Read Blocking Łukasz Anforowicz (Google) Charlie Reis (Google) https://goo.gl/Pth6Kz

28. Cross-Origin Resource Policy John Wilander (Apple) Anne van Kesteren (Mozilla)

    https://goo.gl/vBwgoh

29. Cross-Origin Resource Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site

30. Cross-Origin Window Policy Ryosuke Niwa (Apple) https://github.com/whatwg/html/issues/3740

31. Cross-Origin Window Policy https://goo.gl/vBwgoh HTTP/1.1 200 OK Date: Fri, 26

    May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Window-Policy: deny

32. Sec-Metadata Mike West (Google) Artur Janc (Google) https://goo.gl/gUFnTf

33. Sec-Metadata GET / HTTP/1.1 Host: mikewest.org Connection: keep-alive ... Sec-Metadata:

    cause="user-activated", destination="document", site="same-origin", target="nested" ... https://goo.gl/gUFnTf

34. Sec-Metadata https://goo.gl/gUFnTf

35. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297

36. Early Hints RFC8297: Kazuho Oku (Fastly) https://tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early

    Hints Cross-Origin-Resource-Policy: same-site HTTP/1.1 200 OK Date: Fri, 26 May 2018 10:02:11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: same-site ...

37. Thanks for your time! Mike West, [email protected], @mikewest https://www.arturjanc.com/cross-origin-infoleaks.pdf