Skip to content

Commit 9aa02e0

Browse files
terjanqjerryzz0arturjancgoedi02
authored
Add more isolation policies and fix other errors. (#90)
* Add more isolation policies and fix other errors. * Too much info * Change : to = in SameSite * Clarify that sec-fetch is a hader * Update content/docs/defenses/isolation-policies/strict-isolation.md Co-authored-by: jerryzz0 <22921243+jerryzz0@users.noreply.github.com> * Update content/docs/defenses/isolation-policies/_index.md Co-authored-by: arturjanc <arturjanc@gmail.com> * Applied improvements from the review and other tweaks * typo * Fix link * Add embeds in a comment * Dot and other changes * Isolation Policies - Editorial pass (#91) * A new PR for Dirk * Update _index.md editorial pass * Update framing-isolation.md Editorial pass * Update resource-isolation.md Editorial pass * Update navigation-isolation.md Editorial pass * Update strict-isolation.md Editorial pass * Update framing-isolation.md missing comma Co-authored-by: goedi02 <60691757+goedi02@users.noreply.github.com> * change order Co-authored-by: jerryzz0 <22921243+jerryzz0@users.noreply.github.com> Co-authored-by: arturjanc <arturjanc@gmail.com> Co-authored-by: goedi02 <60691757+goedi02@users.noreply.github.com>
1 parent 7438d54 commit 9aa02e0

File tree

6 files changed

+159
-34
lines changed

6 files changed

+159
-34
lines changed

content/docs/defenses/isolation-policies/_index.md

+7-4
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,14 @@
11
---
22
title: "Isolation Policies"
3-
weight: 30
3+
weight: 3
44
---
55

66
# Isolation Policies
77

8-
This section contains example deployments of isolation policies that make use of the introduced defenses.
8+
This section describes proposed defenses against different kinds of cross-site interactions, presented in the form of _isolation policies_:
9+
10+
* To defend against cross-site requests for common resources (e.g. scripts, images, fetch) with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Resource Isolation Policy]({{< ref "./resource-isolation.md" >}}).
11+
* To defend against cross-site framing with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Framing Isolation Policy]({{< ref "./framing-isolation.md" >}}).
12+
* To defend against cross-site navigational requests with [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), check [Navigation Isolation Policy]({{< ref "./navigation-isolation.md" >}}).
13+
* To defend against all cross-site interactions with either [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}), [SameSite cookies]({{< ref "../opt-in/same-site-cookies">}}), or the Referer header, check [Strict Isolation Policy]({{< ref "./strict-isolation.md" >}}).
914

10-
* Defend against cross-site framing with Fetch-Metadata, see [Framing Isolation Policy]({{< ref "./framing-isolation.md" >}}).
11-
* Defend against cross-site requests with Fetch-Metadata, see [Resource Isolation Policy]({{< ref "./resource-isolation.md" >}}).

content/docs/defenses/isolation-policies/framing-isolation.md

+25-11
Original file line numberDiff line numberDiff line change
@@ -6,30 +6,44 @@ category = [
66
"Defense",
77
]
88
menu = "main"
9+
weight = 2
910
+++
10-
Framing Isolation Policy supplements [Resource Isolation Policy]({{< ref "resource-isolation.md" >}}) to protect against cross-origin information leaks by
11-
additionally blocking framing requests to non-framable endpoints.
11+
Framing Isolation Policy is a stricter version of [Framing Protections]({{< ref "../opt-in/xfo" >}}) where the request gets blocked at the application level rather than by the browser. This is designed to protect against various attacks (e.g. XSSI, CSRF, XS-Leaks) by blocking framing requests to endpoints that are not intended to be framable.
1212

13-
## Example
13+
It can be combined with [Resource Isolation Policy]({{< ref "resource-isolation.md" >}}) to effectively tighten the attack surface within cross-site information leaks.
1414

15-
The below snippet showcases an example implemention of the Framing Isolation Policy by the application.
15+
{{< hint tip >}}
16+
Instead of rejecting all non-framable endpoints, the user could be prompted to confirm the action, e.g. *Confirm that you visited this page from a trusted origin*, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application.
17+
{{< /hint >}}
18+
19+
{{< hint tip >}}
20+
When deployed together with [Resource Isolation Policy]({{< ref "resource-isolation.md" >}}), Framing Isolation Policy does not protect against leaks utilizing window references (e.g. `window.length`), so other navigational protections such as [COOP]({{< ref "../opt-in/coop" >}}) or [Navigation Isolation Policy]({{< ref "navigation-isolation" >}}) can be helpful.
21+
{{< /hint >}}
22+
23+
## Implementation with Fetch Metadata
24+
25+
The below snippet showcases an example implemention of the Framing Isolation Policy by an application:
1626

1727
```py
18-
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
28+
# Reject cross-site requests to protect from CSRF, XSSI, XS-Leaks, and other bugs
1929
def allow_request(req):
2030
# Allow requests from browsers which don't send Fetch Metadata
21-
if not req['sec-fetch-site'] or not req['sec-fetch-mode'] or not req['sec-fetch-dest']:
31+
if not req['headers']['sec-fetch-site']:
32+
return True
33+
if not req['headers']['sec-fetch-mode']:
34+
return True
35+
if not req['headers']['sec-fetch-dest']:
2236
return True
2337

2438
# Allow non-navigational requests
25-
if req['sec-fetch-mode'] not in ('navigate', 'nested-navigate'):
39+
if req['headers']['sec-fetch-mode'] not in ('navigate', 'nested-navigate'):
2640
return True
2741

28-
# Allow non-frameable requests.
29-
if req['sec-fetch-dest'] not in ('frame', 'iframe', 'embed', 'object'):
42+
# Allow requests not originated from embeddable elements
43+
if req['headers']['sec-fetch-dest'] not in ('frame', 'iframe', 'embed', 'object'):
3044
return True
3145

32-
# [OPTIONAL] Exempt paths/endpoints meant to be served cross-origin.
46+
# [OPTIONAL] Exempt paths/endpoints meant to be served cross-site.
3347
if req.path in ('/my_frame_ancestors_host_src'):
3448
return True
3549

@@ -38,5 +52,5 @@ def allow_request(req):
3852
```
3953

4054
## Considerations
41-
1. Framing Isolation Policy cannot be applied if an endpoint allows framing requests from specific origins via `X-Frame-Options` and/or Content Security Policy's
55+
Framing Isolation Policy cannot be applied if an endpoint allows framing requests from specific origins via `X-Frame-Options` and/or Content Security Policy's
4256
`frame-ancestors` directive.
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
+++
2+
title = "Navigation Isolation Policy"
3+
description = ""
4+
date = "2020-11-30"
5+
category = [
6+
"Defense",
7+
]
8+
menu = "main"
9+
weight = 3
10+
+++
11+
Navigation Isolation Policy is a server-side protection mechanism intended to mitigate CSRF, clickjacking, reflected XSS, and XS-Leaks that make use of cross-site window contexts. This is a strict policy and has the potential to break an application since it blocks all cross-site navigations, including navigations through hyperlinks.
12+
13+
{{< hint tip >}}
14+
Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. *Confirm that you visited this page from a trusted origin*, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application.
15+
{{< /hint >}}
16+
17+
## Implementation with Fetch Metadata
18+
19+
The below snippet showcases an example implemention of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]:
20+
21+
```py
22+
# Reject cross-site requests to protect from clickjacking, XS-Leaks, and other bugs
23+
def allow_request(req):
24+
# Allow any request that is not cross-site
25+
if req['headers']['sec-fetch-site'] != 'cross-site':
26+
return True
27+
28+
# Allow requests to endpoints meant to be navigated to, e.g. homepage
29+
if req.path in whitelisted_paths:
30+
return True
31+
32+
# Block all top-level cross-site navigations, including embeds
33+
if req['headers']['sec-fetch-mode'] in ('navigate', 'nested-navigate'):
34+
return False
35+
36+
# Allow all other requests
37+
return True
38+
```
39+
## References
40+
[^secmetadata]: Fetch Metadata Request Headers playground, [link](https://secmetadata.appspot.com/)
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,21 @@
11
+++
2-
title = "Resource Isolation"
2+
title = "Resource Isolation Policy"
33
description = ""
44
date = "2020-11-30"
55
category = [
66
"Defense",
77
]
88
menu = "main"
9+
weight = 1
910
+++
10-
Resource Isolation Policy prevents your resources from being requested by external websites. Blocking such traffic mitigates common web vulnerabilities such as CSRF,
11-
XSSI, timing attacks, and XS-Leaks. The policy can be enabled for applications whose endpoints are not loaded in a cross-site context and will allow
12-
resource requests coming from your application as well as direct navigations.
11+
Resource Isolation Policy prevents external websites from requesting your resources. Blocking such traffic mitigates common web vulnerabilities such as CSRF, XSSI, or XS-Leaks. The policy can be enabled for applications whose endpoints are not intended to be loaded in a cross-site context and will allow resource requests coming from your application as well as direct navigations.
1312

14-
## Example
13+
## Implementation with Fetch Metadata
1514

16-
The below snippet showcases an example implemention of the Resource Isolation Policy by the application.
15+
The below snippet showcases an example implemention of the Resource Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers:
1716

1817
```py
19-
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
18+
# Reject cross-origin requests to protect from , XSSI, XS-Leaks, and other bugs
2019
def allow_request(req):
2120
# [OPTIONAL] Exempt paths/endpoints meant to be served cross-origin.
2221
if req.path in ('/my_CORS_endpoint', '/favicon.png'):
@@ -25,29 +24,25 @@ def allow_request(req):
2524
# Safe to set `Cross-Origin-Resource-Policy: same-site`. (see Considerations)
2625

2726
# Allow requests from browsers which don't send Fetch Metadata
28-
if not req['sec-fetch-site']:
27+
if not req['headers']['sec-fetch-site']:
2928
return True
3029

3130
# Allow same-site and browser-initiated requests
32-
if req['sec-fetch-site'] in ('same-origin', 'same-site', 'none'):
31+
if req['headers']['sec-fetch-site'] in ('same-origin', 'same-site', 'none'):
3332
return True
3433

35-
# Allow simple top-level navigations except <object> and <embed>
36-
if req['sec-fetch-mode'] == 'navigate' and req.method == 'GET':
34+
# Allow simple top-level navigations, this includes embeds
35+
if req['headers']['sec-fetch-mode'] == 'navigate' and req.method == 'GET':
3736
return True
3837

3938
# Reject all other requests
4039
return False
4140
```
4241

4342
## Considerations
44-
It should be safe to set a `Cross-Origin-Resource-Policy: same-site` response header on all requests that have not explicitly been exempted from Resource Isolation Policy. See [CORP]({{< ref "../opt-in/corp.md" >}})
43+
It should be safe to set a `Cross-Origin-Resource-Policy: same-site` response header on all requests that have not explicitly been exempted from Resource Isolation Policy. See [CORP]({{< ref "../opt-in/corp.md" >}}).
4544

4645

4746
## Deployment
4847

4948
Check out this [web.dev](https://web.dev/fetch-metadata/) article to learn more about this protection, some different policies, and tips on how to deploy it.
50-
51-
<!-- ## References
52-
53-
[^1]: Protect your resources from web attacks with Fetch Metadata, [link](https://web.dev/fetch-metadata/) -->
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
+++
2+
title = "Strict Isolation Policy"
3+
description = ""
4+
date = "2020-11-30"
5+
category = [
6+
"Defense",
7+
]
8+
menu = "main"
9+
weight = 4
10+
+++
11+
Strict Isolation Policy is intended to protect against all cross-site interactions (including navigations to the application through hyperlinks). This is a very strict policy that has the potential to prevent applications from functioning properly.
12+
13+
{{< hint tip >}}
14+
Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. *Confirm that you visited this page from a trusted origin*, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application.
15+
16+
However, this would only work for navigational requests, since other resources are loaded in the background.
17+
{{< /hint >}}
18+
19+
20+
## Implementation with Fetch Metadata
21+
22+
The below snippet showcases an example implementation of Strict Isolation Policy by an application:
23+
24+
```py
25+
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
26+
def allow_request(req):
27+
# Allow requests from browsers which don't send Fetch Metadata
28+
if not req['headers']['sec-fetch-site']:
29+
return True
30+
31+
# Block any cross-site request
32+
if req['headers']['sec-fetch-site'] == 'cross-site':
33+
return False
34+
35+
# Allow all other requests
36+
return True
37+
```
38+
39+
## Implementation with SameSite cookies
40+
If a server sends a cookie with the [`SameSite=strict`]({{< ref "../opt-in/same-site-cookies/#samesite-cookie-modes" >}}) flag, any returned request that doesn't contain that cookie can be rejected, as showcased in this snippet:
41+
42+
```py
43+
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
44+
def allow_request(req):
45+
46+
if req['cookies']['strict-cookie'] == 'true':
47+
return True
48+
49+
# Block requests without a strict cookie
50+
return False
51+
```
52+
53+
## Implementation with Referer
54+
It is also possible to reject requests from untrusted origins with the [`Referer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header:
55+
56+
```py
57+
# Reject requests that came from untrusted referrers
58+
def allow_request(req):
59+
60+
# check if the referer header is trusted, i.e. exists in trusted_referers dict
61+
if req['headers']['referer'] in trusted_referers:
62+
return True
63+
64+
# Block requests without a strict cookie
65+
return False
66+
```
67+
68+
{{< hint important >}}
69+
It is not guaranteed that every request will contain the Referer header (e.g. extensions can strip the header) which could potentially break an application. Also be aware that it is possible to set the value of `Referer` to `null`.
70+
71+
Twitter deployed [^twitter_silhouette] a similar protection against XS-Leaks.
72+
[^twitter_silhouette]: Protecting user identity against Silhouette, [link](https://blog.twitter.com/engineering/en_us/topics/insights/2018/twitter_silhouette.html)
73+
{{< /hint >}}
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
+++
22
title = "Secure Defaults"
3-
weight = 2
3+
weight = 10
44
+++
55

66
# Secure Defaults
77

88
This section contains articles discussing two types of secure defaults:
99

10-
* [Partitioned Caches]({{< ref "./partitioned-cache.md" >}}) – Ensure that cache resources cannot be shared in between different sites.
11-
* [Cross Origin Read Blocking (CORB)]({{< ref "./corb.md" >}}) – Prevents certain types of responses from being referenced by certain classes of requests.
10+
* [Partitioned Caches]({{< ref "./partitioned-cache.md" >}}) – Ensure that cache resources cannot be shared in between different sites.
11+
* [Cross Origin Read Blocking (CORB)]({{< ref "./corb.md" >}}) – Prevents certain types of responses from being referenced by certain classes of requests.

0 commit comments

Comments
 (0)