DOCSLIB.ORG

Enforcing Content Security by Default Within Web Browsers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Enforcing Content Security by Default Within Web Browsers 2016 IEEE Cybersecurity Development Enforcing Content Security by Default within Web Browsers Christoph Kerschbaumer Mozilla Corporation [email protected] Abstract—Web browsers were initially designed to retrieve side redirect to prevent a malicious page from circumventing resources on the world wide web in a static manner such that the initial security checks by performing a redirect. adding security checks in select locations throughout the codebase Instead of continuing current practice where developers sufficiently provided the necessary security guarantees of the web. have to opt-in to security checks whenever implementing a Even though systematic security checks were always performed, those security checks were sprinkled throughout the codebase. new standard for loading resources, we present an approach Over time, various specifications for dynamically loading content where content security is applied by default. Adding a central have proven that such a scattered security model is error-prone. API that relies on an opt-out mechanism provides the needed Instead of opting into security checks wherever resource loads infrastructure to prevent less security minded engineers from are initiated throughout the codebase, we present an approach accidentally introducing vulnerabilities. where security checks are performed by default. By equipping every resource load with a loading context (which includes We first provide background on the different content secu- information about who initiated the load, the load type, etc.), rity checks a browser performs before loading a URI (Sec- our approach enforces an opt-out security mechanism performing tion II) and contribute the following: security checks by default by consulting a centralized security manager. In addition, the added load context allows to provide We survey content security mechanisms before instan- • the same security guarantees for resource loads which encounter tiating a load request and after a server-side redirect, a server-side redirect. and provide the ratio of redirected URIs on the web (Section III). I. MOTIVATION We examine how Firefox has performed content security • Web browsers have become complex software applications checks historically (Section IV) and present design and that need to be capable of providing security guarantees when implementation details for enforcing content security by loading URIs from the web. For example, a browser needs to default within Firefox (v.50.0) (Section V). We provide an assessment of the engineering needed ensure that a web page can not access local resources on a • user’s computer. While web browsers were initially designed to retroactively provide an API for enforcing content for retrieving and displaying information resources on the security by default within a browser (Section VI). world wide web in static HTML, modern web browsers need to support the latest and constantly evolving web standards II. CONTENT SECURITY BACKGROUND capable of loading resources, like e.g. the fetch specifica- As of today, all major web browsers (Chrome, Edge, Fire- tion [WHATWG, 2015]. fox, Internet Explorer, Opera, Safari) are committed to imple- Before loading a URI, web browsers have to perform nu- ment most (if not all) of the security specifications defined by merous content security checks, such as evaluating that a script the World Wide Web Consortium (W3C) to improve security does not violate the same origin policy (SOP) [W3C, 2010b], in web browsers. The most important of those specifications or ensuring that the requested URI complies with the page’s are: Content Security Policy [W3C, 2014a]. At first, performing security checks in selective locations (SOP) [W3C, 2010b] The same • Same Origin Policy throughout the codebase sufficed to provide the required origin policy prevents malicious script on one page security. However, the abundance of new web standards for from obtaining access to sensitive data on another retrieving resources on the web caused such sprinkled security web page through that page’s Document Object Model checks to be error-prone. Even though systematic security (DOM) [W3C, 2004]. The SOP defines an origin as a checks are performed, a modern browser requires a central combination of scheme, host and port number. API to provide the same security guarantees for the different More recently, the W3C started discussions specifications capable of loading resources. about standardizing the concept of Subori- To complicate things further, the web evolved over time gins [Joel Weinberger, Devdatta Akhawe, 2016]. such that almost 12% of resource loads result in a server-side Suborigins define a mechanism for programmatically redirect (see Table I). To ensure the required security, browsers defining origins to isolate different applications running have to enforce the same security checks again after a server- in the same physical origin. User agents can extend the © 2016, Christoph Kerschbaumer. Under license to IEEE. 10183 DOI 10.1109/SecDev.2016.8 same-origin policy with this new namespace plus an In addition to these specifications major browsers also im- origin tuple to create a security boundary between this plement security standards defined by the Internet Engineering resource and resources in other namespaces. Task Force (IETF): (CORS) [W3C, 2010a] • Cross Origin Resource Sharing HTTP Strict Transport Security (HSTS) [IETF, 2012] To relax the same origin policy, the W3C specified CORS, HSTS protects against protocol downgrade attacks by provid- which creates a whitelist of trusted domains by extending ing a mechanism for web servers to declare that web browsers HTTP with a new origin request header. Hence CORS should only interact with it using secure HTTPS connections provides a mechanism which allows restricted resources and never allow connecting via the insecure HTTP protocol. (e.g., fonts) on a web page to be requested from a domain [Mike West, Richard Barnes, 2016] HSTS outside of the originating domain. HSTS Priming priming proposes modifications to the behavior of HSTS to [W3C, 2014b] The Mixed • Mixed Content Blocking mitigate the risk that mixed content blocking will prevent Content Blocker blocks insecure content on web pages migration from HTTP to HTTPS. Before blocking a third that are supposed to be secure. HTTP [W3C, 2016] itself party subresource as mixed content, HSTS priming would is not secure, which means connections are open for perform an anonymous ’preflight’ request to the subresource eavesdropping and man-in-the-middle attacks. If the main in question to check if the subresource is marked HSTS. If the page is served over HTTPS but includes HTTP content, subresource isn’t available over HSTS it would be blocked by then the HTTP portion can be read and modified by the mixed content blocker attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, then Ultimately, browsers need to enforce Access Permis- the mixed content blocker can block such ’mixed’ con- sion Checks to guarantee a webpage can not access lo- tent. cal files. For example, a browser needs to block requests trying to load an image from the local file system, e.g. (SRI) [W3C, 2014c] SRI pro- • Subresource Integrity file://home/secdev/conf.png. vides a mechanism for website authors to provide a cryp- tographic hash to a resource in addition to the location of III. PERFORMING CONTENT SECURITY CHECKS the resource. Web browsers compare the hash provided Whenever a browser fetches a resource from the web, the by the website author with the computed hash from the browser has to perform all, or at least a subset of the security fetched resource and load the resource only if the hashes checks described in Section II. match. (CSP) [W3C, 2014a] The Con- • Content Security Policy Content Security Policy: script-src good.com tent Security Policy allows web authors to define a whitelist in a HTTP header (or HTML meta element) GET good.com/library.js to specify trusted sources for delivering content. For ex- good.com ample, a CSP of script-src https://good.com permits the user agent to load script only when it is response (redirect) sourced from https://good.com. Three CSP direc- GET evil.com/attack.js tives are particularly important and should be highlighted: evil.com – Upgrade Insecure Requests [W3C, 2015b] The CSP directive upgrade-insecure-requests Security1 Checks instructs user agents to upgrade all insecure HTTP URIs to their secure HTTPS equivalent. The directive Fig. 1: Browser performing Content Security Checks (includ- targets web sites with large numbers of insecure ing checks after redirects). legacy URIs that would otherwise need to be rewrit- ten to secure links. Figure 1 shows a web browser that performs a GET request of the URI good.com/library.js. Before the browser [W3C, 2015a] – Strict Mixed Content Blocking actually initiates the network load, it performs at least an The CSP directive block-all-mixed-content access permission check, or applies (if applicable) the more provides a stricter variant of mixed content checking restrictive same origin policy. Additionally, the browser con- which will block optionally-blockable mixed content strains mixed content and also enforces the page’s Content in addition to blockable mixed content and prevents Security Policy. As illustrated in Figure 1, the web page ships a users from overruling the browsers decision. Content Security Policy of script-src good.com, which – Require SRI for [W3C, 2016] This CSP direc- instructs the browser to only load scripts originating from tive require-sri-for provides a mechanism for good.com. The browser now checks if the host portion of the website authors to load resources only when SRI is resource matches the host defined in the CSP. In the example, defined for the resource load. the host of the URI matches the whitelisted host in the CSP, 10284 hence the browser initiates the GET request for the given Start Resouce Load resource. GECKO The server good.com responds with a server-side URI redirect (e.g., 301 Moved Permanently)indicatingthat Security Checks the URI will be redirected to evil.com/attack.js.
Load more

Recommended publications
  • Analyzing Safari 2.X Web Browser Artifacts Using SFT
    Analyzing Safari 2.x Web Browser Artifacts using SFT. Copyright 2007 - Jacob Cunningham (v1.0) Table of Contents Introduction:...............................................................................................................................................3 Safari Forensic Tools................................................................................................................................. 3 OSX Property List files..............................................................................................................................3 Safari Related Files.................................................................................................................................... 4 The Safari Preferences files....................................................................................................................... 5 Browser History......................................................................................................................................... 7 Downloads history:.................................................................................................................................... 8 Bookmarks file ........................................................................................................................................10 Cookies file:............................................................................................................................................. 11 Browser Cache........................................................................................................................................
    [Show full text]
  • Browser Security Information
    Browser Security Information Customer security is important to us. Our top priority is to protect the privacy of your personal account information and your financial transactions FirstLine Mortgages is leading the way in Internet banking services and uses several layers of robust security technology to help ensure the confidentiality of transactions across the Internet. The first security level begins with your Web browser. When you access FirstLine Mortgages Internet Site , your browser is checked to ensure that it meets our minimum requirements. Additionally, we only allow customers with browsers that use 128-bit encryption (one of the highest levels of browser security available today) to bank on our web site. But, even with this validation, there are other precautions you should follow to maximize your protection. You have a responsibility to ensure your own security. The browser validation will verify the browser type you are using, your browser encryption level, the version of Netscape or Microsoft browser, as well as Javascript and cookies being enabled. To access -FirstLine Mortgages Internet site , you need to use: • a Netscape browser version 4.06 or better with a minimum 128-bit encryption technology • a Microsoft browser version 4.01 SP2 or better with a minimum 128-bit encryption technology • Javascript (please see below for more information about how to check and enable Javascript support) • Cookies (see below) If your browser does not meet all of these requirements, you will need to upgrade your browser to access the FirstLine Internet Site . To upgrade your browser, select the Netscape or Microsoft button below and download the latest browser version.
    [Show full text]
  • But Were Afraid to Ask!)
    05_576593 ch01.qxd 10/12/04 9:55 PM Page 9 Chapter 1 All You Ever Wanted to Know about JavaScript (But Were Afraid to Ask!) In This Chapter ᮣ Understanding a working definition of JavaScript ᮣ Dispelling common JavaScript misconceptions ᮣ Getting started with JavaScript tools ᮣ Finding information online aybe you’ve surfed to a Web site that incorporates really cool features, Msuch as ߜ Images that change when you move your mouse over them ߜ Slideshow animations ߜ Input forms with pop-up messages that help you fill in fields correctly ߜ Customized messages that welcome repeat visitors By using JavaScript and the book you’re reading right now you can create all these effects and many more! The Web page in Figure 1-1 shows you an example COPYRIGHTEDof the kinds of things that you canMATERIAL look forward to creating for your own site. A lot has changed since the previous edition of JavaScript For Dummies came out. Perhaps the biggest change is the evolution of DHTML, or dynamic HTML. DHTML refers to JavaScript combined with HTML and cascading style sheets, and it’s a powerful combination you can use to create even more breathtak- ingly cool Web sites than ever before. 05_576593 ch01.qxd 10/12/04 9:55 PM Page 10 10 Part I: Building Killer Web Pages for Fun and Profit Figure 1-1: JavaScript lets you add interactive features to your Web site quickly and easily. Along with this increased power comes increased complexity, unfortunately — but that’s where this new, improved, better-tasting edition of JavaScript For Dummies comes in! Even if you’re not a crackerjack programmer, you can use the techniques and sample scripts in this book to create interactive Web pages bursting with animated effects.
    [Show full text]
  • Smug May 09 Final
    STANFORD/PALO ALTO MACINTOSH USERS GROUP NEWSLETTER Vol.19 No.5 May 2009 Will be presenting at the monday May 4 Meeting Kathy Garrigan will be the presenter. Avery DesignPro for Mac is software that lets you print on Avery products on your Macintosh. Like business cards, label sheets, greeting cards, iron-ons, and so on. Both Dave and myself have only used the CD. The business card template and labels are very easy to use. I hope to have some samples of the things that I used the Avery templates for. Cards, T-shirts and hopefully wine labels. The great part about this app it is FREE!!!! Lorrie bleiler "Select All." April Meeting Report "Go to end." "Undo dictation." "Select the word 'sigh'". by Dave Strom (Note from Dave: Hey, this works really well!) Jay is read- MacSpeech ing words, and he will speak punctuation like "period" or and Drobo "hyphen", and the punctuation goes in. We had two (count 'em: two in "Capitalize the word group", and Dictate capped it! "Open one!) this evening. Quote", and Jay read, then said "comma", then Jay read MacSpeech and Drobo. more, "close quote", "period", "go to sleep". MacSpeech If you speak fast, you can get up to 120 words a minute, www.macspeech.com but with most people it is more like 60, then 80-90 with Jay Gonzales presented MacSpeech Dictate. This software, practice. Dictate can keep up with you. It will not print out with a microphone, does speech recognition on the the text instantly (note from Dave: I notice it does buffer Macintosh.
    [Show full text]
  • Personalizing Voyager Using Browser Extensions
    University of Kentucky UKnowledge Library Presentations University of Kentucky Libraries 5-8-2015 Personalizing Voyager Using Browser Extensions Kathryn Lybarger University of Kentucky, [email protected] Right click to open a feedback form in a new tab to let us know how this document benefits oy u. Follow this and additional works at: https://uknowledge.uky.edu/libraries_present Part of the Cataloging and Metadata Commons Repository Citation Lybarger, Kathryn, "Personalizing Voyager Using Browser Extensions" (2015). Library Presentations. 128. https://uknowledge.uky.edu/libraries_present/128 This Presentation is brought to you for free and open access by the University of Kentucky Libraries at UKnowledge. It has been accepted for inclusion in Library Presentations by an authorized administrator of UKnowledge. For more information, please contact [email protected]. Personalizing Voyager using Browser Extensions Kathryn Lybarger @zemkat ELUNA 2015 #eluna2015 May 8, 2015 Personalizing Voyager As an institution, we have a fair amount of power over how Voyager’s OPAC looks Colors and fonts Which fields are searchable What displays in search results What displays in full record view … (anything really) Must find a balance Provide good access to most of our patrons Don’t clutter the interface needlessly But how about… Personalizing for particular groups of patrons? Personalizing for staff needs? Doing so quickly? Even temporarily? Web browser extensions Custom search bars Extensions Bookmarklets User scripts Browser
    [Show full text]
  • Javascript Security
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 22 Blind Folio 679 22 JavaScript Security ownloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then Dagain it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program’s icon. But most people don’t think about the fact that nearly every time they load a Web page, they’re doing something very similar: inviting code—in this case, JavaScript—written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you. A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers’ security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn’t, any Web page you visited could steal or destroy all of your files! In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages.
    [Show full text]
  • X Content Security Policy Web Config
    X Content Security Policy Web Config Volar Odin still misforms: wonted and tenable Paddie redrives quite absolutely but come-on her quadricentennial grandly. Cyprian and adiabatic Schroeder always chap vulgarly and annul his pulsimeters. Kyle tumefying brusquely while corollaceous Ron cudgellings decorative or knell immanently. Thanks admin if some prefer to use a look something else is because the content security policy to keep abreast of security web Content Security Policy KeyCDN Support. The X-Frame-Options XFO security header helps modern web browsers. Content-Security-Policy Header CSP Reference & Examples. Content Security Policy CSP is a security mechanism that helps protect against. Learn guide to install integrate and configure CKEditor 5 Builds and have to. HTTP Strict Transport Security HSTS allows web servers to declare. Firefox is using X-Content-Security-Policy and Webkit Chrome Safari are using. To junk is configure your web server to furniture the Content-Security-Policy HTTP header. Content Security Policy CSP allows you to film what resources are allowed to. Manage Content Security Policy from Episerver CMS Gosso. CLI Reference FortiADC 600 Fortinet Documentation Library. In case in need off more relaxed content security policy for example although you. More snow more web apps configure secured endpoints and are redirecting. This is dependent because XSS bugs have two characteristics which make combat a particularly serious threat in the security of web applications XSS is ubiquitous. CSP is intended to propose an additional layer of security against cross-site scripting and other malicious web-based attacks CSP is implemented as a HTTP response. Always the Content-Security-Policy.
    [Show full text]
  • Implementing Content Security Policy at a Large Scale
    Security Content Security Policy. How to implement on an industrial scale $ whois Product security team lead in Yandex OWASP Russia chapter leader Yet another security blogger oxdef.info Does anybody use CSP? < 1% of all sites :-( But … Empty slide about XSS Because no more slides about XSS Content security policy Content security policy Browser side mechanism to mitigate XSS attacks Open live standard www.w3.org/TR/CSP Source whitelists and signatures for client side code and resources of web application Content-Security-Policy and Content-Security-Policy- Report-Only HTTP headers HTML meta element In a nutshell Policy default-src 'none'; script-src 'nonce-Nc3n83cnSAd' static.example.com HTML <!doctype html><html><head> <meta charset="utf-8"> <script src="//static.example.com/jquery.js"></script> <script nonce="Nc3n83cnSAd"></script> <script src="//evil.net/evil.js"></script> unsafe-inline and unsafe-eval unsafe-inline Inline scripts and styles onclick="..." javascrtipt: unsafe-eval eval() new Function setTimeout , setInterval with string as a first argument Other directives style-src - CSS styles media-src – audio and video object-src - plugin objects (e.g. Flash) frame-src – iframe sources font-src – font files connect-src - XMLHttpRequest, WebSocket When CSP protects against XSS In order to protect against XSS, web application authors SHOULD include: both the script-src and object-src directives, or include a default-src directive, which covers both scripts and plugins. In either case, authors SHOULD NOT include either 'unsafe-inline' or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.
    [Show full text]
  • Mozilla: a Users Guide
    Mozilla: A Users Guide. or Using the Mozilla Application Suite Kevin T. Neely October 17, 2003 Contents 1 Installation 15 1.1 Deciding which Mozilla to Run ........................ 15 1.1.1 Platform ................................. 15 1.1.2 Version .................................. 15 1.2 Installing Mozilla ................................ 16 1.2.1 Using an Installer Package ....................... 16 1.2.2 Manual Installation ........................... 17 1.3 Upgrading .................................... 19 1.3.1 Make a Backup ............................. 19 1.3.2 Uninstall ................................. 19 1.3.3 Install Mozilla .............................. 20 1.3.4 Retrieve Missing Files ......................... 20 1.4 Running Multiple versions of Mozilla ..................... 21 2 Getting Started and Mozilla Basics 23 2.1 Starting Mozilla ................................. 23 2.2 Exiting Mozilla ................................. 23 2.2.1 QuickLaunch .............................. 23 3 CONTENTS CONTENTS 2.3 Preferences ................................... 24 2.4 Advanced Settings ............................... 24 2.4.1 prefs.js .................................. 25 2.4.2 user.js .................................. 25 2.4.3 userContent.css ............................. 26 2.5 Profiles ...................................... 27 2.6 Themes ..................................... 27 2.7 Security ..................................... 27 2.7.1 Passwords ................................ 27 2.8 Cookies ....................................
    [Show full text]
  • Guideline for Securing Your Web Browser P a G E | 2
    CMSGu2011-02 CERT-MU SECURITY GUIDELINE 2011 - 02 Mauritian Computer Emergency Response Team Enhancing Cyber Security in Mauritius Guideline For Securing Your Web Browser National Computer Board Mauritius JuJunene 2011 2011 Version 1.7 IssueIssue No. No. 4 2 National Computer Board © Table of Contents 1.0 Introduction .......................................................................................................................... 7 1.1 Purpose and Scope ........................................................................................................... 7 1.2 Audience........................................................................................................................... 7 1.3 Document Structure.......................................................................................................... 7 2.0 Background .......................................................................................................................... 8 3.0 Types of Web Browsers ....................................................................................................... 9 3.1 Microsoft Internet Explorer .............................................................................................. 9 3.2 Mozilla Firefox ................................................................................................................. 9 3.3 Safari ................................................................................................................................ 9 3.4 Chrome ..........................................................................................................................
    [Show full text]
  • Browser Security
    Transcript of Episode #38 Browser Security Description: Steve and Leo discuss the broad topic of web browser security. They examine the implications of running "client-side" code in the form of interpreted scripting languages such as Java, JavaScript, and VBScript, and also the native object code contained within browser "plug- ins" including Microsoft’s ActiveX. Steve outlines the "zone-based" security model used by IE and explains how he surfs with high security under IE, only "lowering his shields" to a website after he’s had the chance to look around and decide that the site is trustworthy. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-038.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-038-lq.mp3 Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 38 for May 4, 2006: Browser Security. Security Now! is brought to you by Astaro, makers of the Astaro Security Gateway, on the web at www.astaro.com. So finally the sun is shining in beautiful California. We have summer, or at least spring finally arrived. And, look, Steve Gibson’s wearing a tank top and shorts. No, he’s not. Steve Gibson: Well, it’s dry in Toronto, Leo. You were all chapped; I was all, like, chapped just after one day. Leo: I am. And, you know, they complain in Toronto that it’s too humid because they have the lake effect. But I guess it gets humid some other time because I – chapped is the word, exactly.
    [Show full text]
  • New Standards and Upcoming Technologies in Browser Security
    OWASP The OWASP Foundation AppSec Europe 2011 http://www.owasp.org New Standards and upcoming Technologies in Browser Security Tobias Gondrom Board member of OWASP London Chair of IETF Web Security WG [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Tobias Gondrom • 12 years information security experience • 10 years application development experience • Information Security & Risk Management, Research and Advisory, Director • Author of Standards on Digital Signatures and Secure Archiving • Chair of IETF Web Security Working Group http://datatracker.ietf.org/wg/websec/charter/ Member of the IETF Security Directorate • London OWASP chapter board member (former OWASP Germany chapter lead) www.owasp.org Browser Security • History • What’s the problem • Who & Why • What’s been done • When 3 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 4 History • Internet/Arpanet Protocols were designed for robustness and exchanging information and cross reference of content… …. but not with security and active content in mind • We try to fix Application Security on the Application end ever since 5 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 6 What’s the problem - OWASP Top 10 What’s the problem - OWASP Top 10 What’s the problem - No Clear separation between content and executed code - Relies on trust relationships (trust on first use / trusted source) - Weak channel protection - Authentication & leakage of credentials => Today, Web Applications try to fix this on the Application level with little support of the underlying infrastructure 9 What’s the problem Client Server Inform & Influence Security Posture 10 Think Big - What if we can….
    [Show full text]