Tyler Moore CS 7403 University of Tulsa Principle of Least Privilege Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job ID: 509660
Download Presentation The PPT/PDF document "Sandboxing and Content Security Policies" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Sandboxing and Content Security Policies
Tyler
Moore
CS 7403
University of TulsaSlide2
Principle of Least Privilege
“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
- Jerome
Saltzer
, Comm. ACM (1974)Slide3
What priviliges
are granted to externally-loaded content?
vs.Slide4
Sandboxed iframes
Regular
iframes
grant many privileges that may be unnecessary (access to entire DOM, running scripts, etc.) – by default, all the capabilities are on
Sandboxed
iframes
turn most capabilities off by default, then let developers choose what should be turned on http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/Slide5
Sandboxed iframes
default behavior
JavaScript
will not execute in the framed
document
Loaded into
a unique origin, which means that all same-origin checks will failDocument has no access to data stored in any origin’s cookies, DOMCannot create
new windows or
dialogs
Forms
cannot be
submitted
Plugins will not
load
The framed document can only navigate itself, not its top-level
parent
Features
that trigger automatically (autofocused form elements,
autoplaying
videos, etc.) are
blockedSlide6
Each capability can be added
allow-forms
allows form
submission
allow-popups
allows popups (window.open
(), showModalDialog(), target=”_blank”, etc.)allow-pointer-lock allows
pointer
lock
allow-same-origin
allows the document to maintain its origin; pages loaded from https://
example.com
/ will retain access to that origin’s data.
allow-scripts
allows JavaScript execution, and also allows features to trigger automatically (as they’d be trivial to implement via JavaScript).
allow-top-navigation
allows the document to break out of the frame by navigating the top-level window.Slide7
Back to the tweet button
allow-scripts is required, as the page loaded into the frame runs some JavaScript to deal with user interaction.
allow-popups is required, as the button pops up a tweeting form in a new window.
allow-forms is required, as the tweeting form should be
submittable
.
allow-same-origin is necessary, as twitter.com’s cookies would otherwise be inaccessible, and the user couldn’t log in to post the form.Slide8
Sandboxing everywhere
Sandboxing isn’t only for third-party
content
P
rinciple of least privilege applies to your own code as well!Slide9
Content Security Policy
XSS
attacks
exploit the
browser’s inability to distinguish between
scripts intentionally loaded by a website and scripts maliciously
injected by a third-partyBegs the question: can we limit the origins that the page can talk talk to?With CSP, we can!
http://www.html5rocks.com/en/tutorials/security/content-security-policy
/Slide10
Motivating example
Google +1
script located at https://
apis.google.com
/
js/plusone.js
Without CSP, no way a site can differentiate between apis.google.com and evil.comSet HTTP Header
Content
-Security-Policy: script-
src
'self' https://
apis.google.com
script-
src
directive specifies which sources can execute scripts on a pageSlide11
CSPs aren’t just for scripts
base-
uri
restricts
URLs
allowd in a page’s <base> elementchild-
src
lists the URLs for workers and embedded frame
contents. (e.g., child
-
src
https://
youtube.com
allows embedded videos only from YouTube)
font-
src
specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-
src
https://
themes.googleusercontent.com
form
-action
lists valid endpoints for submission from <form> tags
.Slide12
CSPs aren’t just for scripts
img-src
defines the origins from which images can be
loaded
media-
src restricts the origins allowed to deliver video and audioobject-src
allows control over Flash and other
plugins
plugin-types
limits the kinds of plugins a page may
invokeSlide13
Summary
Principle of
l
east privilege now available to web developers
Many of the vulnerabilities we have discussed were enabled by over-permissive design
Content Security Policy can whitelist permitted origins for 3
rd party contentSandboxed iframes can restrict the capabilities granted to 3rd
party content
Responsibility for secure implementation now rests with developers