W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2018

A primer on cross-origin information leaks

From: Artur Janc <aaj@google.com>
Date: Wed, 16 May 2018 01:24:03 +0200
Message-ID: <CAPYVjqr4MgwgskKEP87vnrLWOd=OmqFX0RkidmQqOpcWXgPrCA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hey WebAppSec,

We've recently had interesting discussions about various mechanisms to
restrict cross-origin resource loads (CORB, From-Origin, Sec-Metadata,
Cross-Origin-Isolate) in the context of Spectre. One issue that these
threads touched upon, but didn't go into much detail about, is the threat
model in which these mechanisms exist, i.e. what vulnerabilities they hope
to address.

To analyze this in more detail, Mike and I put together a doc to review the
major known types of cross-origin information leaks, and outline how the
recent proposals fare against them:

https://docs.google.com/document/d/1cbL-X0kV_tQ5rL8XJ3lXkV-j0pt_CfTu5ZSzYrncPDc/edit
(opened up for public comments; I also uploaded a PDF here
<https://www.arturjanc.com/cross-origin-infoleaks.pdf> in case that's
easier to read)

My main takeaway from putting this together is that it may be valuable to
provide developers with general mechanisms that allow them to protect
against the larger issue of cross-origin attacks, rather than focus on the
specific threat of Spectre. I hope that the doc gives some useful context
for why this is a problem worth solving, and outlines a path forward, both
when it comes preventing speculative execution attacks, and addressing one
of the major long-standing classes of vulnerabilities we've had on the web.
This is kind of an exciting prospect, so I'd appreciate it if y'all could
take a look!

Cheers,
-Artur
Received on Tuesday, 15 May 2018 23:24:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 15 May 2018 23:24:39 UTC