Re: [whatwg/fetch] From-Origin (#687)

> It doesn't seem necessary to have From-Origin effectively control what frames are allowed to load in a given application because developers already have that lever: Content-Security-Policy: frame-src. An application which doesn't ever need to load cross-origin frames can ensure that it's safe from Spectre if it sets frame-src, frame-ancestors and From-Origin, to 'self' on all of its responses even if From-Origin only looks at the origin of the embedding document and ignores frames.
> 
> Framing a resource is a choice on part of the developer. If the application loads an iframe, it generally means the developer wants the iframe to be part of her application, or otherwise she would remove it (or possibly prevent it from loading via CSP). IIUC option (4) means that developers would be required to either remove all cross-origin frames or set From-Origin to a union of the origins of frames loaded in their application, or otherwise loading From-Origin-protected resources would break. Whitelisting these external origins in From-Origin would mean that any document in these origins would now be able to execute Spectre-like attacks on the application's resources at any time, rather than just the single explicitly iframed document while the user is interacting with the application.

(4) can provide protection if the browser doesn't have process-per-frame/process-per-origin.

If victim.com is the top frame, then yes, it can control the page's CSP. But if victim.com is an iframe, I don't think there is a way for it to tell the browser that it will only allow a particular resource load if all frames in the current web content process are from a given whitelist.

Say you have a situation like this:

```
     friend.com
         |
        / \
       /   \
evil.com    victim.com (CSP allows ancestor friend.com)
 iframe       iframe
                 \
                Loads sensitive image
```
evil.com can now Spectre the sensitive image, right? And if From-Origin only checked the ancestor tree, it would not consider evil.com's sibling iframe.

Maybe we could have a strict mode that takes _all_ frame origins in the process into account? I haven't given it any deeper thoughts but wouldn't such a strict mode allow for pretty good UI redressing protection too? Say payments.com makes a deal with shop.com to provide a checkout iframe. It could then refuse to display its content if shop.com's checkout page is loading unknown cross-origin iframes. And that would be beneficial even under process-per-frame/process-per-origin.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-381192021

Received on Friday, 13 April 2018 16:37:31 UTC