Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Isolation by Default

Mike West
December 01, 2020

Isolation by Default

Presented at a mini-XSLeaks summit: TL;DR: Isolation is possible today, but is entirely opt-in. What if it was opt-out instead, and developers had to opt-into cross-origin collaboration? It would certainly be safer. Would it also be good?

(Yes. It would.)

Barely thought-through proposals:

* https://github.com/mikewest/coop-by-default/
* https://github.com/mikewest/embedding-requires-opt-in/
* https://github.com/mikewest/deprecating-document-domain/
* https://wicg.github.io/cors-rfc1918/
* https://github.com/mikewest/credentiallessness/

Mike West

December 01, 2020
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Status quo: Well-informed developers will adopt CORP, XFO, COOP, and

    COEP. Less-informed developers remain vulnerable.
  2. The Future? Browsers will isolate documents by default. Developers who

    require cross-origin collaboration can opt-out of isolation.
  3. A Few Modest Proposals User agents should: 1. Apply COOP:

    same-origin-allow-popups by default: https://github.com/mikewest/coop-by-default/ 2. Require embedees to opt-into framing rather than out of it: https://github.com/mikewest/embedding-requires-opt-in/ 3. Deprecate and remove impediments to origin isolation by default (most notably document.domain: https://github.com/mikewest/deprecating-document-domain)
  4. A Few More Modest Proposals User agents should: 4. Require

    opt-in for communication across network boundaries: https://wicg.github.io/cors-rfc1918/ 5. Shift towards credentiallness requests by default (SameSite=Lax on the one hand, COEP: x-bikeshed-credentialless-unless-cors on the other): https://github.com/mikewest/credentiallessness/ 6. Strict MIME type checking, in conjunction with CORB/ORB.