W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2018

Re: A primer on cross-origin information leaks

From: John Wilander <wilander@apple.com>
Date: Thu, 17 May 2018 11:05:19 -0700
Message-id: <9C68EE55-2AAD-4BF8-9936-C47547A471CB@apple.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
To: Artur Janc <aaj@google.com>
> On May 17, 2018, at 10:47 AM, John Wilander <wilander@apple.com> wrote:
> 
> 
>> On May 15, 2018, at 4:24 PM, Artur Janc <aaj@google.com <mailto:aaj@google.com>> wrote:
>> 
>> Hey WebAppSec,
>> 
>> We've recently had interesting discussions about various mechanisms to restrict cross-origin resource loads (CORB, From-Origin, Sec-Metadata, Cross-Origin-Isolate) in the context of Spectre. One issue that these threads touched upon, but didn't go into much detail about, is the threat model in which these mechanisms exist, i.e. what vulnerabilities they hope to address.
>> 
>> To analyze this in more detail, Mike and I put together a doc to review the major known types of cross-origin information leaks, and outline how the recent proposals fare against them:
>> 
>> https://docs.google.com/document/d/1cbL-X0kV_tQ5rL8XJ3lXkV-j0pt_CfTu5ZSzYrncPDc/edit <https://docs.google.com/document/d/1cbL-X0kV_tQ5rL8XJ3lXkV-j0pt_CfTu5ZSzYrncPDc/edit>
>> (opened up for public comments; I also uploaded a PDF here <https://www.arturjanc.com/cross-origin-infoleaks.pdf> in case that's easier to read)
>> 
>> My main takeaway from putting this together is that it may be valuable to provide developers with general mechanisms that allow them to protect against the larger issue of cross-origin attacks, rather than focus on the specific threat of Spectre. I hope that the doc gives some useful context for why this is a problem worth solving, and outlines a path forward, both when it comes preventing speculative execution attacks, and addressing one of the major long-standing classes of vulnerabilities we've had on the web. This is kind of an exciting prospect, so I'd appreciate it if y'all could take a look!
> 
> Thanks for the writeup! Three things that I think we need to add:
> A more thorough analysis of ease of adoption. This should include what we think might break, complexity of the technology, data transfer impact, and how the technology interacts with existing cross-origin controls. For example, what should happen if a response contains conflicting CORS, XFO, and From-Origin directives?
> Privacy impact. The more meta data we send to servers, the more they know about the user.
> Adding the concept of Same-Site (eTLD+1, potentially scheme+eTLD+1) to all of these origin controls. I believe adoption will be easier if developers can deploy CSP, XFO, From-Origin, and Cross-Origin-Options with Same-Site.

Sorry for fragmented replies. Another thought I had was …

4. Doesn’t SameSite cookies provide the same information to servers as the Sec-Site {same-origin, same-site, cross-site} request header?

   Regards, John

> 
> Here’s an update on experimental implementations:
> From-Origin (including 35 test cases, not yet upstreamed) https://trac.webkit.org/changeset/230968/webkit/ <https://trac.webkit.org/changeset/230968/webkit/> Available in Safari Technology Preview 56: https://webkit.org/blog/8296/release-notes-for-safari-technology-preview-56/ <https://webkit.org/blog/8296/release-notes-for-safari-technology-preview-56/>
> Cross-Origin-Options (including 7 upstreamed test cases) https://trac.webkit.org/changeset/231622/webkit <https://trac.webkit.org/changeset/231622/webkit>
Received on Thursday, 17 May 2018 18:05:52 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 17 May 2018 18:05:53 UTC