Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add more isolation policies and fix other errors. (#90)
* Add more isolation policies and fix other errors. * Too much info * Change : to = in SameSite * Clarify that sec-fetch is a hader * Update content/docs/defenses/isolation-policies/strict-isolation.md Co-authored-by: jerryzz0 <22921243+jerryzz0@users.noreply.github.com> * Update content/docs/defenses/isolation-policies/_index.md Co-authored-by: arturjanc <arturjanc@gmail.com> * Applied improvements from the review and other tweaks * typo * Fix link * Add embeds in a comment * Dot and other changes * Isolation Policies - Editorial pass (#91) * A new PR for Dirk * Update _index.md editorial pass * Update framing-isolation.md Editorial pass * Update resource-isolation.md Editorial pass * Update navigation-isolation.md Editorial pass * Update strict-isolation.md Editorial pass * Update framing-isolation.md missing comma Co-authored-by: goedi02 <60691757+goedi02@users.noreply.github.com> * change order Co-authored-by: jerryzz0 <22921243+jerryzz0@users.noreply.github.com> Co-authored-by: arturjanc <arturjanc@gmail.com> Co-authored-by: goedi02 <60691757+goedi02@users.noreply.github.com>
- Loading branch information
1 parent
7438d54
commit 9aa02e0
Showing
6 changed files
with
159 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,14 @@ | ||
--- | ||
title: "Isolation Policies" | ||
weight: 30 | ||
weight: 3 | ||
--- | ||
|
||
# Isolation Policies | ||
|
||
This section contains example deployments of isolation policies that make use of the introduced defenses. | ||
This section describes proposed defenses against different kinds of cross-site interactions, presented in the form of _isolation policies_: | ||
|
||
* To defend against cross-site requests for common resources (e.g. scripts, images, fetch) with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Resource Isolation Policy]({{< ref "./resource-isolation.md" >}}). | ||
* To defend against cross-site framing with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Framing Isolation Policy]({{< ref "./framing-isolation.md" >}}). | ||
* To defend against cross-site navigational requests with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Navigation Isolation Policy]({{< ref "./navigation-isolation.md" >}}). | ||
* To defend against all cross-site interactions with either [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), [SameSite cookies]({{< ref "../opt-in/same-site-cookies">}}), or the Referer header, check [Strict Isolation Policy]({{< ref "./strict-isolation.md" >}}). | ||
|
||
* Defend against cross-site framing with Fetch-Metadata, see [Framing Isolation Policy]({{< ref "./framing-isolation.md" >}}). | ||
* Defend against cross-site requests with Fetch-Metadata, see [Resource Isolation Policy]({{< ref "./resource-isolation.md" >}}). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
content/docs/defenses/isolation-policies/navigation-isolation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
+++ | ||
title = "Navigation Isolation Policy" | ||
description = "" | ||
date = "2020-11-30" | ||
category = [ | ||
"Defense", | ||
] | ||
menu = "main" | ||
weight = 3 | ||
+++ | ||
Navigation Isolation Policy is a server-side protection mechanism intended to mitigate CSRF, clickjacking, reflected XSS, and XS-Leaks that make use of cross-site window contexts. This is a strict policy and has the potential to break an application since it blocks all cross-site navigations, including navigations through hyperlinks. | ||
|
||
{{< hint tip >}} | ||
Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. *Confirm that you visited this page from a trusted origin*, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application. | ||
{{< /hint >}} | ||
|
||
## Implementation with Fetch Metadata | ||
|
||
The below snippet showcases an example implemention of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]: | ||
|
||
```py | ||
# Reject cross-site requests to protect from clickjacking, XS-Leaks, and other bugs | ||
def allow_request(req): | ||
# Allow any request that is not cross-site | ||
if req['headers']['sec-fetch-site'] != 'cross-site': | ||
return True | ||
|
||
# Allow requests to endpoints meant to be navigated to, e.g. homepage | ||
if req.path in whitelisted_paths: | ||
return True | ||
|
||
# Block all top-level cross-site navigations, including embeds | ||
if req['headers']['sec-fetch-mode'] in ('navigate', 'nested-navigate'): | ||
return False | ||
|
||
# Allow all other requests | ||
return True | ||
``` | ||
## References | ||
[^secmetadata]: Fetch Metadata Request Headers playground, [link](https://secmetadata.appspot.com/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
content/docs/defenses/isolation-policies/strict-isolation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
+++ | ||
title = "Strict Isolation Policy" | ||
description = "" | ||
date = "2020-11-30" | ||
category = [ | ||
"Defense", | ||
] | ||
menu = "main" | ||
weight = 4 | ||
+++ | ||
Strict Isolation Policy is intended to protect against all cross-site interactions (including navigations to the application through hyperlinks). This is a very strict policy that has the potential to prevent applications from functioning properly. | ||
|
||
{{< hint tip >}} | ||
Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. *Confirm that you visited this page from a trusted origin*, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application. | ||
|
||
However, this would only work for navigational requests, since other resources are loaded in the background. | ||
{{< /hint >}} | ||
|
||
|
||
## Implementation with Fetch Metadata | ||
|
||
The below snippet showcases an example implementation of Strict Isolation Policy by an application: | ||
|
||
```py | ||
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs | ||
def allow_request(req): | ||
# Allow requests from browsers which don't send Fetch Metadata | ||
if not req['headers']['sec-fetch-site']: | ||
return True | ||
|
||
# Block any cross-site request | ||
if req['headers']['sec-fetch-site'] == 'cross-site': | ||
return False | ||
|
||
# Allow all other requests | ||
return True | ||
``` | ||
|
||
## Implementation with SameSite cookies | ||
If a server sends a cookie with the [`SameSite=strict`]({{< ref "../opt-in/same-site-cookies/#samesite-cookie-modes" >}}) flag, any returned request that doesn't contain that cookie can be rejected, as showcased in this snippet: | ||
|
||
```py | ||
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs | ||
def allow_request(req): | ||
|
||
if req['cookies']['strict-cookie'] == 'true': | ||
return True | ||
|
||
# Block requests without a strict cookie | ||
return False | ||
``` | ||
|
||
## Implementation with Referer | ||
It is also possible to reject requests from untrusted origins with the [`Referer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header: | ||
|
||
```py | ||
# Reject requests that came from untrusted referrers | ||
def allow_request(req): | ||
|
||
# check if the referer header is trusted, i.e. exists in trusted_referers dict | ||
if req['headers']['referer'] in trusted_referers: | ||
return True | ||
|
||
# Block requests without a strict cookie | ||
return False | ||
``` | ||
|
||
{{< hint important >}} | ||
It is not guaranteed that every request will contain the Referer header (e.g. extensions can strip the header) which could potentially break an application. Also be aware that it is possible to set the value of `Referer` to `null`. | ||
|
||
Twitter deployed [^twitter_silhouette] a similar protection against XS-Leaks. | ||
[^twitter_silhouette]: Protecting user identity against Silhouette, [link](https://blog.twitter.com/engineering/en_us/topics/insights/2018/twitter_silhouette.html) | ||
{{< /hint >}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,11 @@ | ||
+++ | ||
title = "Secure Defaults" | ||
weight = 2 | ||
weight = 10 | ||
+++ | ||
|
||
# Secure Defaults | ||
|
||
This section contains articles discussing two types of secure defaults: | ||
|
||
* [Partitioned Caches]({{< ref "./partitioned-cache.md" >}}) – Ensure that cache resources cannot be shared in between different sites. | ||
* [Cross Origin Read Blocking (CORB)]({{< ref "./corb.md" >}}) – Prevents certain types of responses from being referenced by certain classes of requests. | ||
* [Partitioned Caches]({{< ref "./partitioned-cache.md" >}}) – Ensure that cache resources cannot be shared in between different sites. | ||
* [Cross Origin Read Blocking (CORB)]({{< ref "./corb.md" >}}) – Prevents certain types of responses from being referenced by certain classes of requests. |