W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

[suborigins] Protecting Suborigined content from the rest of the origin

From: Aleksandr Dobkin <dobkin@google.com>
Date: Mon, 15 May 2017 14:26:17 -0700
Message-ID: <CAJGyu7WKmQiEio1rPtAMzBOHCxj+USn0sUs=3otzKBtky0GubQ@mail.gmail.com>
To: public-webappsec@w3.org, Jochen Eisinger <eisinger@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Mike West <mkwst@google.com>
The current spec is great for isolating suborigined content from the rest
of the domain, and thereby preventing XSS bugs in the suborigined content
from being used to attack the rest of the domain. The opposite, protecting
suborigined content from being affected by XSS bugs in the rest of the
domain, is also very useful. A prime example is protecting password-change
and OAuth2 authorization pages from being attacked by XSS bugs elsewhere on
the domain.

The spec already provides several protections: 1) JS content in the same
physical original cannot directly access the DOM and 2) .postMessages()
messages can be discriminated by .origin. The one additional thing that we
need is a way to block non-suboringed JS from fetching using XHR from the
suborign. If non-suborigined content can fetch arbitrary content, it can
also typically fetch CSRF tokens and arbitrary sensitive information from
the suborigin.

I propose we extend the XHR spec to block returning of responses to JS if
the response contains a Suborigin header, and suborigin value does not
match suborigin name of the requester document.

This blocking is similar to how it is done for simple XHRs when the
response does not have CORS headers.

-Alex
Received on Monday, 15 May 2017 21:26:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC