Add a guide on xs-leaks #38977
Add a guide on xs-leaks #38977
Conversation
* upstream/main: (172 commits) chore: improve code style guide (mdn#38715) fix: typo on `Error.isError()` page (mdn#38754) plural consistency (mdn#38747) fix: auto-cleanup by bot (mdn#38695) Synchronize with BCD v5.7.4 (mdn#38709) Add docs for JS self-profiling API (mdn#37796) Better SameSite docs (mdn#38710) Added missing explanation for Array Literals (mdn#38745) Add a page on CSRF (mdn#38151) Fix description of several Range methods (mdn#38518) Remove extraneous span (mdn#38696) Add a definition for media containers, improve how the media files are defined and Remove wrong information (mdn#38721) Move visited selector guide to CSS selectors module (mdn#38642) Make JSON learning article more technically precise (mdn#38644) Make translate3d() interactive example code valid (mdn#38647) Clarity on Safari support for custom elements (mdn#38727) feat(css): Link to learning doc about text direction (mdn#38719) Fix typo (mdn#38739) move guide to module: inline formatting context (mdn#38637) Fix CSS pseudo-class lists (mdn#38576) ...
github-actions
bot
added
Content:Security
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
Preview URLs Flaws (12)URL:
URL:
External URLs (4)URL:
(comment last updated: 2025-04-10 18:58:18) |
* upstream/main: (158 commits) fix: remove unrelated add() method reference from openCursor() doc (mdn#38998) Fix link (mdn#38995) Remove uncovered topic from a tuturial overview. (mdn#38999) Change the description of Temporal.Instant (mdn#38996) Remove `port` mention for URL `protocol` documentation (mdn#39000) Improve the clarity of a sentence (mdn#39003) Change if...else to non-zero on control_flow page (mdn#38992) Update group-data of EditContext API (mdn#38842) improve description (mdn#38845) fix: auto-cleanup by bot (mdn#38990) New pages: HTMLFormElement.rel and .relList (mdn#38900) Add live sample embeds for SVG path examples (mdn#38928) Remove uncovered topic from the introduction (mdn#38986) Remove self-links (mdn#38982) Synchronize with BCD v6.0.3 (mdn#38983) Fix grammar (mdn#38981) Remove external Web Speech API articles (mdn#38980) Add missing {{Specifications}} macros (mdn#38975) Remove browser-compat for CSS types without BCD (mdn#38970) Update async_function_star_ to have a working example (mdn#38972) ...
…e-leaks * origin/cross-site-leaks:
| page-type: guide | ||
| --- | ||
|
|
||
| Cross-site leaks (also called XS-leaks) are a class of attack which exploit the ways in which a target site can leak information to an attacker's site, either through web platform APIs or through {{glossary("side channels")}} such as timing attacks. The information leaked could include, for example: |
There was a problem hiding this comment.
I think a web platform API is a side channel in these cases (i.e. is it worth differentiating)?
There was a problem hiding this comment.
I think the wording is a little unclear: "a class of attack which exploit the ways in which a target site can leak information to an attacker's site". Maybe start with a typical user story, an example of what information is (presumably unintentionally) leaking and then how an attacker exploits that leak?
There was a problem hiding this comment.
I think a web platform API is a side channel in these cases (i.e. is it worth differentiating)?
yes, tbh I started being uncertain about what exactly counts as a side channel, so I reworked the definition a bit in 36d919e .
Maybe start with a typical user story, an example of what information is (presumably unintentionally) leaking and then how an attacker exploits that leak?
I'm happy to do more work on the definition if it is unclear but I really do want to start with a concise definition rather than a story.
|
Looks good. The choices are reasonable and I think this should give a good flavour of the problem and the kinds of solutions. In particular when you expand a little on how this information leaking might actually be a real problem. I don't fully understand spectre or any of the timing attacks. That makes it hard to understand whether or not it should be here. But my leaning is that if you try write a document and it looks a lot like this one, you should be able to slot it in later without much difficulty.
I don't "know" either. I kind of like it because it's a side channel in a security mechanism. As per comments, I'm still getting clear on exactly how this works. Either way though, what is the defense?
I would mention it as a single line - it is part of a defense in depth to restrict any cross origin loading to the minimum required so that the resource can still be used as intended.
I do think it might be nice to have a separate guide "defense it depth handbook" that covers the common things. But you'll still have to link it from each of these sections, and I really think as long as we keep them constrained like this, the duplication does not hurt. |
|
One general comment that comes to mind: there is a lot of discussion of iframes but no context of how these are used that might make it easier to understand the risks. E.g. iframes are used in payment flows and advertising, but there is no mention of either in the doc...? |
Co-authored-by: Hamish Willee <[email protected]>
Co-authored-by: Hamish Willee <[email protected]>
Yeah I like that aspect of it as well. One of the things that make xs-leaks hard to defend against is that things that should protect you can end up hurting you.
As I say, AFAIK there isn't one. |
I'm not sure in this particular context how what the frames are doing is that relevant though - the attack doesn't get that kind of access and doesn't care - it's just the fact that they exist that the attacker can use. Maybe if I can expand the page per #38977 (comment) that might help with this? |
Co-authored-by: Hamish Willee <[email protected]>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| ### Defense summary checklist | ||
|
|
||
| As we've seen, cross-site leaks include a range of attacks targeting different parts of the web platform: a single defense doesn't work against any of them. Indeed, some leaks, such as the one that exploits CSP to leak redirects, don't have any defenses yet. |
There was a problem hiding this comment.
I created a comment against a commit, but it doesn't seem to be visible here. Might be irrelevant
But while there is no way to stop CSP from revealing the redirect, you aren't forced to have redirects. You might, for example, use the same page with frames and different content for a logged in users.
There was a problem hiding this comment.
IMO this is a useful entry point that positions the problem appropriate, doesn't swamp the reader, and doesn't duplicate other resource. I feel I have a good idea of what kinds of information might leak, what an attacker might do with that information, broad steps I might take to reduce the risk, and I can work out where to go for more information.
Approving, so you can merge when you think inflow of useful review has ceased.
|
@mozfreddyb , would love you to take a look when you get the chance. |
Here's a PR to add a guide to cross-site leaks. I feel like this might need some further work but it should be good enough for a review.
To understand the rationale for some of the choices I've made it would be worth looking at #3526 (comment) and the response.
XS-leaks are a bit different to the other attacks because they are very diverse. So I've chosen three quite different attacks, to try to give an idea of their diversity, and tried to explain how the attacks have similarities and how various defenses can help with them. I'm reasonably happy with the first two attacks - error events and frame counting - but wasn't sure which to pick for a third, and not sure the CSP one is a good choice.
I haven't talked about CORP since AFAICT CORP is mostly presented in connection with Spectre/Meltdown, which I haven't discussed here (again see #3526 (comment) for why). But perhaps I should after all introduce it, maybe as a defense against the error event attack?
I'm conscious as I write these guides to different that we're getting a lot of duplication from one guide to another in the "Defenses" section, outlining for example how to do framing protection, or set SameSite. I think we might want to factor these out into separate guides at some point.
I mentioned at the start that "side channels" can be a vector for xs-leaks, and think we should have a glossary page for that, but didn't write it yet.
Fixes #3526.