Understanding Sandbox Security and Content Policies

Slide Note
Embed
Share

Explore the concept of sandboxing and content security policies, emphasizing the Principle of Least Privilege. The use of sandboxed iframes and their default behaviors are discussed, highlighting how each capability can be added or restricted based on security requirements. Learn about the granular control over privileges granted to externally loaded content and the importance of maintaining security measures in web development.


Uploaded on Sep 17, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Sandboxing and Content Security Policies Tyler Moore CS 7403 University of Tulsa

  2. Principle of Least Privilege Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. - Jerome Saltzer, Comm. ACM (1974)

  3. What priviliges are granted to externally-loaded content? vs.

  4. Sandboxed iframes Regular iframes grant many privileges that may be unnecessary (access to entire DOM, running scripts, etc.) by default, all the capabilities are on Sandboxed iframes turn most capabilities off by default, then let developers choose what should be turned on http://www.html5rocks.com/en/tutorials/sec urity/sandboxed-iframes/

  5. Sandboxed iframes default behavior JavaScript will not execute in the framed document Loaded into a unique origin, which means that all same- origin checks will fail Document has no access to data stored in any origin s cookies, DOM Cannot create new windows or dialogs Forms cannot be submitted Plugins will not load The framed document can only navigate itself, not its top- level parent Features that trigger automatically (autofocused form elements, autoplaying videos, etc.) are blocked

  6. Each capability can be added allow-forms allows form submission allow-popups allows popups (window.open(), showModalDialog(), target= _blank , etc.) allow-pointer-lock allows pointer lock allow-same-origin allows the document to maintain its origin; pages loaded from https://example.com/ will retain access to that origin s data. allow-scripts allows JavaScript execution, and also allows features to trigger automatically (as they d be trivial to implement via JavaScript). allow-top-navigation allows the document to break out of the frame by navigating the top-level window.

  7. Back to the tweet button allow-scripts is required, as the page loaded into the frame runs some JavaScript to deal with user interaction. allow-popups is required, as the button pops up a tweeting form in a new window. allow-forms is required, as the tweeting form should be submittable. allow-same-origin is necessary, as twitter.com s cookies would otherwise be inaccessible, and the user couldn t log in to post the form.

  8. Sandboxing everywhere Sandboxing isn t only for third-party content Principle of least privilege applies to your own code as well!

  9. Content Security Policy XSS attacks exploit the browser s inability to distinguish between scripts intentionally loaded by a website and scripts maliciously injected by a third-party Begs the question: can we limit the origins that the page can talk talk to? With CSP, we can! http://www.html5rocks.com/en/tutorials/sec urity/content-security-policy/

  10. Motivating example Google +1 script located at https://apis.google.com/js/plusone.js Without CSP, no way a site can differentiate between apis.google.com and evil.com Set HTTP Header Content-Security-Policy: script-src 'self' https://apis.google.com script-src directive specifies which sources can execute scripts on a page

  11. CSPs arent just for scripts base-uri restricts URLs allowd in a page s <base> element child-src lists the URLs for workers and embedded frame contents. (e.g., child-src https://youtube.com allows embedded videos only from YouTube) font-src specifies the origins that can serve web fonts. Google s Web Fonts could be enabled via font-src https://themes.googleusercontent.com form-action lists valid endpoints for submission from <form> tags.

  12. CSPs arent just for scripts img-src defines the origins from which images can be loaded media-src restricts the origins allowed to deliver video and audio object-src allows control over Flash and other plugins plugin-types limits the kinds of plugins a page may invoke

  13. Summary Principle of least privilege now available to web developers Many of the vulnerabilities we have discussed were enabled by over-permissive design Content Security Policy can whitelist permitted origins for 3rd party content Sandboxed iframes can restrict the capabilities granted to 3rd party content Responsibility for secure implementation now rests with developers

More Related Content