Understanding Sandbox Security and Content Policies

Slide Note
Embed
Share

Explore the concept of sandboxing and content security policies, emphasizing the Principle of Least Privilege. The use of sandboxed iframes and their default behaviors are discussed, highlighting how each capability can be added or restricted based on security requirements. Learn about the granular control over privileges granted to externally loaded content and the importance of maintaining security measures in web development.

petrosyan_s
petrosyan_s Follow

Uploaded on Sep 17, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Sandboxing and Content Security Policies Tyler Moore CS 7403 University of Tulsa

  2. Principle of Least Privilege Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. - Jerome Saltzer, Comm. ACM (1974)

  3. What priviliges are granted to externally-loaded content? vs.

  4. Sandboxed iframes Regular iframes grant many privileges that may be unnecessary (access to entire DOM, running scripts, etc.) by default, all the capabilities are on Sandboxed iframes turn most capabilities off by default, then let developers choose what should be turned on http://www.html5rocks.com/en/tutorials/sec urity/sandboxed-iframes/

  5. Sandboxed iframes default behavior JavaScript will not execute in the framed document Loaded into a unique origin, which means that all same- origin checks will fail Document has no access to data stored in any origin s cookies, DOM Cannot create new windows or dialogs Forms cannot be submitted Plugins will not load The framed document can only navigate itself, not its top- level parent Features that trigger automatically (autofocused form elements, autoplaying videos, etc.) are blocked

  6. Each capability can be added allow-forms allows form submission allow-popups allows popups (window.open(), showModalDialog(), target= _blank , etc.) allow-pointer-lock allows pointer lock allow-same-origin allows the document to maintain its origin; pages loaded from https://example.com/ will retain access to that origin s data. allow-scripts allows JavaScript execution, and also allows features to trigger automatically (as they d be trivial to implement via JavaScript). allow-top-navigation allows the document to break out of the frame by navigating the top-level window.

  7. Back to the tweet button allow-scripts is required, as the page loaded into the frame runs some JavaScript to deal with user interaction. allow-popups is required, as the button pops up a tweeting form in a new window. allow-forms is required, as the tweeting form should be submittable. allow-same-origin is necessary, as twitter.com s cookies would otherwise be inaccessible, and the user couldn t log in to post the form.

  8. Sandboxing everywhere Sandboxing isn t only for third-party content Principle of least privilege applies to your own code as well!

  9. Content Security Policy XSS attacks exploit the browser s inability to distinguish between scripts intentionally loaded by a website and scripts maliciously injected by a third-party Begs the question: can we limit the origins that the page can talk talk to? With CSP, we can! http://www.html5rocks.com/en/tutorials/sec urity/content-security-policy/

  10. Motivating example Google +1 script located at https://apis.google.com/js/plusone.js Without CSP, no way a site can differentiate between apis.google.com and evil.com Set HTTP Header Content-Security-Policy: script-src 'self' https://apis.google.com script-src directive specifies which sources can execute scripts on a page

  11. CSPs arent just for scripts base-uri restricts URLs allowd in a page s <base> element child-src lists the URLs for workers and embedded frame contents. (e.g., child-src https://youtube.com allows embedded videos only from YouTube) font-src specifies the origins that can serve web fonts. Google s Web Fonts could be enabled via font-src https://themes.googleusercontent.com form-action lists valid endpoints for submission from <form> tags.

  12. CSPs arent just for scripts img-src defines the origins from which images can be loaded media-src restricts the origins allowed to deliver video and audio object-src allows control over Flash and other plugins plugin-types limits the kinds of plugins a page may invoke

  13. Summary Principle of least privilege now available to web developers Many of the vulnerabilities we have discussed were enabled by over-permissive design Content Security Policy can whitelist permitted origins for 3rd party content Sandboxed iframes can restrict the capabilities granted to 3rd party content Responsibility for secure implementation now rests with developers

Related


Implications of Global Standing Instructions (GSI) and Sandbox Policies for MFBs

Implications of Global Standing Instructions (GSI) and Sandbox Policies for MFBs

schiffer_d
Sandbox 2.0 Proposal for Stakeholder-Driven Innovations

Sandbox 2.0 Proposal for Stakeholder-Driven Innovations

cslaw
Understanding the BVIs FinTech Regulatory Sandbox

Understanding the BVIs FinTech Regulatory Sandbox

solana
Technology Assurance Sandbox: Promoting Innovation and Assurances

Technology Assurance Sandbox: Promoting Innovation and Assurances

ragnar
Workshop on ABDM Sandbox Integration - Milestone-1

Workshop on ABDM Sandbox Integration - Milestone-1

zoeyhall
Role-based Access Control Policies and Security Properties Overview

Role-based Access Control Policies and Security Properties Overview

shma570
Virginia Department for Aging and Rehabilitative Services Cyber Security Policies

Virginia Department for Aging and Rehabilitative Services Cyber Security Policies

pnie
Understanding Information Security Policies for Effective Cybersecurity

Understanding Information Security Policies for Effective Cybersecurity

ritenour_s
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Understanding Cross-Domain Policies in Web Application Security

Understanding Cross-Domain Policies in Web Application Security

jayelyn
Understanding Security in World Politics

Understanding Security in World Politics

eisenberg_k
Certification and Training in Information Security

Certification and Training in Information Security

buck
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
Understanding Computer Security Principles and Practices

Understanding Computer Security Principles and Practices

jos_o
Managing Device Proliferation and BYOD Policies in SMB Non-Profits

Managing Device Proliferation and BYOD Policies in SMB Non-Profits

sre_r
Understanding Content Management Systems

Understanding Content Management Systems

ianthe
Understanding Multi-Head Attention Layers in Transformers

Understanding Multi-Head Attention Layers in Transformers

reign
Visitor Orientation Guide for Prince William Manassas Regional Adult Detention Center

Visitor Orientation Guide for Prince William Manassas Regional Adult Detention Center

seer344
Understanding Compliance Monitoring Data Portal (CMDP)

Understanding Compliance Monitoring Data Portal (CMDP)

lucy
Understanding Security Management in an ICT Environment

Understanding Security Management in an ICT Environment

truett
Understanding Information Security Basics

Understanding Information Security Basics

ryley
Implementing Smoke and Tobacco-Free Policies on College Campuses

Implementing Smoke and Tobacco-Free Policies on College Campuses

brazile_m
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine

More Related Content

Comprehensive Information Security Planning and Principles Overview
Comprehensive Information Security Planning and Principles Overview
Alberta Home Care Policy Revision 2023 Overview
Alberta Home Care Policy Revision 2023 Overview
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Infrastructure Trials for Technology Coordinators - Overview and Logistics
Infrastructure Trials for Technology Coordinators - Overview and Logistics
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
PAN Tasks for Accessibility and Accommodations Training Session
PAN Tasks for Accessibility and Accommodations Training Session
Enhancing Learning with Twitter: Strategies for Better Engagement
Enhancing Learning with Twitter: Strategies for Better Engagement
Understanding Security Threats and Countermeasures
Understanding Security Threats and Countermeasures
IPv6 Security and Threats Workshop Summary
IPv6 Security and Threats Workshop Summary
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Managing Application Security in Large Organizations: Insights and Best Practices
Managing Application Security in Large Organizations: Insights and Best Practices
CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING
CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING
Test Security Guidelines for 2015-16 CAASPP Administration
Test Security Guidelines for 2015-16 CAASPP Administration
Hardware Security and Trusted Platform Module Overview
Hardware Security and Trusted Platform Module Overview