search

w3c / webappsec-post-spectre-webdev

Post-Spectre Web Development
https://w3c.github.io/webappsec-post-spectre-webdev/
Other
17 stars 3 forks source link

Make recommendations around local-schemed frames. #2

Closed mikewest closed 3 years ago

mikewest commented 3 years ago

On tonight's WebAppSec call, @shhnjk noted that we should specifically address <iframe src="data:..."> and <iframe srcdoc {sandbox}>, as both can create frames which contain dangerous content which could attack its parent. And he's right! We should!

We should also note that this risk is somewhat mitigated (or, at least, bandwidth-limited) by the requirement that COI be explicitly delegated to the frame via allow="cross-origin-isolated".

@shhnjk: Does this capture your concern?

shhnjk commented 3 years ago

We should also note that this risk is somewhat mitigated

I'm not sure if we want to communicate this way. COI context only makes attack easier, and normal context can still attack.

Also, it'll be also interesting to take telemetry of those frames, and look for process isolation.

mikewest commented 3 years ago

I'm not sure if we want to communicate this way. COI context only makes attack easier, and normal context can still attack.

"somewhat mitigated" seems accurate, as there's a substantial reduction in attack bandwidth when shifting from COI environments to non-COI environments.

Also, it'll be also interesting to take telemetry of those frames, and look for process isolation.

I'm not sure what this would tell us? The numbers will be 0 in Firefox, for example. Does that substantially change the recommendations we'd want to make here?

shhnjk commented 3 years ago

I think when we say “mitigated”, it provides impression to developers that normal context is safe. Reduction in attack bandwidth sounds better.

I'm not sure what this would tell us? The numbers will be 0 in Firefox, for example. Does that substantially change the recommendations we'd want to make here?

Yeah, probably it’s off-topic in this discussion :)

shhnjk commented 3 years ago

After reading whole document, it's clear that the threat model outlined does indicates the following, which means any cross-site iframe can read content of parent. So maybe this point doesn't need to be added?

With this in mind, our general assumption will be that an origin gains access to any resource which it renders (including images, stylesheets, scripts, frames, etc). Likewise, embedded frames gain access to their ancestors' content.

mikewest commented 3 years ago

To close this out, I added a note to https://w3c.github.io/webappsec-post-spectre-webdev/#local-scheme-frames.