Re: [whatwg/fetch] From-Origin (#687)

> Maybe we could have a strict mode that takes all frame origins in the process into account?

It does seem like that would be necessary (both for frames and workers in the process), though not sufficient, as you noted earlier:

> Even with such a guarantee at the time of the request, cross-origin or non-same-site frames may be loaded into the process at a later stage and a Spectre attack could be possible. The only way we see this fully working is checking that no cross-origin or non-same-site frames are in the process at the time of the request, and blocking any subsequent cross-origin or non-same-site frame loads into the process.

It does seem like you'd need some notion of marking the process as dedicated to the origin/site, so that future frames and workers from other sites aren't loaded into it.

> I haven't given it any deeper thoughts but wouldn't such a strict mode allow for pretty good UI redressing protection too? Say payments.com makes a deal with shop.com to provide a checkout iframe. It could then refuse to display its content if shop.com's checkout page is loading unknown cross-origin iframes. And that would be beneficial even under process-per-frame/process-per-origin.

It might help in the case that cross-site frames are never allowed in the same page.  I think it might not help if out-of-process iframes are supported, since those could still do UI redressing attacks in the same page, just from a different process.  (That said, out-of-process iframes make it possible to protect a much wider range of pages from Spectre, such as those that do have semi-untrusted cross-site frames.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-381276661