enforcing content security by default within web...
TRANSCRIPT
![Page 1: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/1.jpg)
Enforcing Content Security By Defaultwithin Web Browsers
Christoph Kerschbaumer
![Page 2: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/2.jpg)
Content Security Checks
File Access Permission
Same Origin Policy
Cross Origin Resource Sharing
Mixed Content Blocking
Content Security Policy
Subresource Integrity
…
![Page 3: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/3.jpg)
Content Security Checks
File Access Permission
Same Origin Policy
Cross Origin Resource Sharing
Mixed Content Blocking
Content Security Policy
Subresource Integrity
…
![Page 4: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/4.jpg)
Performing Content Security Checks
evil.com
GET good.com/library.js
response (redirect)good.com
GET evil.com/attack.js
1
Content Security Policy: script-src good.com
Security Checks
![Page 5: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/5.jpg)
Performing Content Security Checks
evil.com
GET good.com/library.js
response (redirect)good.com
GET evil.com/attack.js
1
Content Security Policy: script-src good.com
Security Checks
![Page 6: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/6.jpg)
Performing Content Security Checks
evil.com
GET good.com/library.js
response (redirect)good.com
GET evil.com/attack.js
1
Content Security Policy: script-src good.com
Security Checks
![Page 7: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/7.jpg)
Performing Content Security Checks
evil.com
GET good.com/library.js
response (redirect)good.com
GET evil.com/attack.js
1
Content Security Policy: script-src good.com
Security Checks
![Page 8: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/8.jpg)
Terminology
Layout Engine within Firefoxrenders web content, such as (HTML, JS, CSS, etc.)
GECKO
NECKO Network Library within Firefoxloads resources over the internet
![Page 9: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/9.jpg)
Performing Security Checks Historically
GECKO
NECKO
Start Resouce Load
Security Checks
Next Resource Load
Initiate Resource Load Redirect
![Page 10: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/10.jpg)
Performing Security Checks By Default
GECKO
NECKO
Provide Load Context andStart Resouce Load
Next Resource Load
RedirectSecurity Checks
Initiate Resource Load
![Page 11: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/11.jpg)
Performing Security Checks By Default
GECKO
NECKO
Provide Load Context andStart Resouce Load
Next Resource Load
RedirectSecurity Checks
Initiate Resource Load
LoadInfo { Principal* loadingPrincipal;
ContentPolicyType contentPolicyType;
SecurityFlags securityFlags;
};
![Page 12: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/12.jpg)
Providing Load Context
LoadInfo { Principal* loadingPrincipal;
ContentPolicyType contentPolicyType;
SecurityFlags securityFlags;
};
![Page 13: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/13.jpg)
LoadingPrincipal
Presents Security Context of web content
reflects origin of that contentContent Principal
SystemPrincipal
NullPrincipal
Reflects Sandboxed security context
only same origin with itself
Reflects Security Context of the system
bypasses all security checks
![Page 14: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/14.jpg)
Providing Load Context
LoadInfo { Principal* loadingPrincipal;
ContentPolicyType contentPolicyType;
SecurityFlags securityFlags;
};
![Page 15: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/15.jpg)
ContentPolicyType
SCRIPT
IMAGE
STYLE
FONT
IFRAME
AUDIO
VIDEO
FAVICON
…
![Page 16: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/16.jpg)
Providing Load Context
LoadInfo { Principal* loadingPrincipal;
ContentPolicyType contentPolicyType;
SecurityFlags securityFlags;
};
![Page 17: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/17.jpg)
SecurityFlags
REQUIRE_SAME_ORIGIN_DATA_INHERITS
REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED
ALLOW_CROSS_ORIGIN_DATA_INHERITS
ALLOW_CROSS_ORIGIN_DATA_IS_NULL
REQUIRE_CORS_DATA_INHERITS
![Page 18: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/18.jpg)
Performing Content Security Checks
LoadInfo { Principal* loadingPrincipal = https://good.com
ContentPolicyType contentPolicyType = TYPE_SCRIPT;
SecurityFlags securityFlags = ALLOW_CROSS_ORIGIN;
};
evil.com
GET good.com/library.js
response (redirect)good.com
GET evil.com/attack.js
1
Content Security Policy: script-src good.com
Security Checks
![Page 19: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/19.jpg)
Server Side Redirects
![Page 20: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/20.jpg)
Server Side Redirects
![Page 21: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/21.jpg)
Engineering Effort
100+ updated network loads
400+ tests that verify network loads
20 months
One Engineer full time
Dozens of reviewers
![Page 22: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/22.jpg)
Engineering Effort
100+ updated network loads
400+ tests that verify network loads
20 months
One Engineer full time
Dozens of reviewers
518 changesets
126,322 lines of code (hg diff -p -U 8)
3,500 man hours
![Page 23: Enforcing Content Security By Default within Web Browserscybersec-prod.s3.amazonaws.com/secdev/wp-content/... · Content Security Checks File Access Permission Same Origin Policy](https://reader033.vdocuments.us/reader033/viewer/2022042309/5ed72937c30795314c174f40/html5/thumbnails/23.jpg)
Thank You
Christoph Kerschbaumer