Re: A primer on cross-origin information leaks

> On May 15, 2018, at 4:24 PM, Artur Janc <> wrote:
> Hey WebAppSec,
> We've recently had interesting discussions about various mechanisms to restrict cross-origin resource loads (CORB, From-Origin, Sec-Metadata, Cross-Origin-Isolate) in the context of Spectre. One issue that these threads touched upon, but didn't go into much detail about, is the threat model in which these mechanisms exist, i.e. what vulnerabilities they hope to address.
> To analyze this in more detail, Mike and I put together a doc to review the major known types of cross-origin information leaks, and outline how the recent proposals fare against them:
> <>
> (opened up for public comments; I also uploaded a PDF here <> in case that's easier to read)
> My main takeaway from putting this together is that it may be valuable to provide developers with general mechanisms that allow them to protect against the larger issue of cross-origin attacks, rather than focus on the specific threat of Spectre. I hope that the doc gives some useful context for why this is a problem worth solving, and outlines a path forward, both when it comes preventing speculative execution attacks, and addressing one of the major long-standing classes of vulnerabilities we've had on the web. This is kind of an exciting prospect, so I'd appreciate it if y'all could take a look!

Thanks for the writeup! Three things that I think we need to add:
A more thorough analysis of ease of adoption. This should include what we think might break, complexity of the technology, data transfer impact, and how the technology interacts with existing cross-origin controls. For example, what should happen if a response contains conflicting CORS, XFO, and From-Origin directives?
Privacy impact. The more meta data we send to servers, the more they know about the user.
Adding the concept of Same-Site (eTLD+1, potentially scheme+eTLD+1) to all of these origin controls. I believe adoption will be easier if developers can deploy CSP, XFO, From-Origin, and Cross-Origin-Options with Same-Site.

Here’s an update on experimental implementations:
From-Origin (including 35 test cases, not yet upstreamed) Available in Safari Technology Preview 56:
Cross-Origin-Options (including 7 upstreamed test cases)
   Regards, John

Received on Thursday, 17 May 2018 17:47:55 UTC