SLIDE 1
Firefox Security
Sid Stamm <sid@mozilla.com>
Browser as a Protector
- Protect Site Content
- Safe Platform
- Third-Party Features
- Keeping your Secrets
Firefox Security Sid Stamm <sid@mozilla.com> Browser as a - - PowerPoint PPT Presentation
Firefox Security Sid Stamm <sid@mozilla.com> Browser as a - - PowerPoint PPT Presentation
Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document
SLIDE 2
SLIDE 3
Content Restrictions
Content Security Policy
SLIDE 4
Content Restrictions
Document “Good” behavior... Suppress the “Bad”
SLIDE 5
Grabbing the Reins
- Content Rules & Regulations
- Specify a “Normal Behavior” Policy
- Catch and Block Violations
<HTML> Content Policy Specify Rules Enforce Rules
Content Restrictions
SLIDE 6
Step 1: Smooth Edges
- Scripts served in files (not inline)
- “javascript:” URIs
- <tag on*=...> event registration
- text nodes in <script> tags
- Establish Code / Data Separation
- eval(“foo”) and friends
Content Restrictions
SLIDE 7
Step 2: Restrictions on Content
- Block requests for all resources
... unless explicitly allowed by a policy!
Content Restrictions
SLIDE 8
CSP: Policies
- HTTP Response Header
X-CONTENT-SECURITY
- POLICY
- Directives to enforce listed within
Content Restrictions
SLIDE 9
Speed Bump
- Designers may not have access to HTTP
- T
wo entities want restrictions
- Multiple policies?
<meta http-equiv=....>?
Content Restrictions
SLIDE 10
Speed Bump
Given Policies P1 and P2: Pe = {u | P1 allows u AND P2 allows u}
Intersecting Policies
Content Restrictions
SLIDE 11
Speed Bump
- policy in-band is too dangerous
- Multiple header instances!
<meta http-equiv=....>?
Content Restrictions
SLIDE 12
CSP: Directives
report-uri policy-uri
- ptions
source directives
Content Restrictions
SLIDE 13
CSP: Source Directives
img-src media-src script-src
- bject-src
frame-src font-src xhr-src frame-ancestors style-src allow (default for these)
Content Restrictions
SLIDE 14
Speed Bump
‘self’ ... in pieces? https://‘self’:443 ‘self’://foo.com foo.com:‘self’
Content Restrictions
SLIDE 15
‘self’
‘self‘ -> http://foo.com:80 bar.com:8080 -> http://bar.com:8080 http://foo.com -> http://foo.com:80 bar.com -> http://bar.com:80
Content Restrictions
SLIDE 16
Speed Bump
Redirects http://foo.com http://bar.com http://duh.com
Content Restrictions
SLIDE 17
Step 3: Profit
- Sites only request explicitly allowed
resources
- Injected inline scripts don’t run
- Content homogenization (mixed content
control)
- Cross-domain CSRF reduction
- Violation reports = early alert
Content Restrictions
SLIDE 18
- Site wants all content to come from the
same source (scheme, host, port)
CSP: Use Case 1
allow ‘self’
Content Restrictions
SLIDE 19
- Site wants all content to come from the
same source (scheme, host, port), except content in iframes may be served by a third-party advertising network.
CSP: Use Case 2
allow ‘self’; frame-src ads.net
Content Restrictions
SLIDE 20
- Auction site wants to allow images from anywhere,
plugin content from a trusted media provider network, and scripts only from its server hosting sanitized JavaScript
CSP: Use Case 3
allow ‘self’; img-src *;
- bject-src *.teevee.com;
script-src myscripts.com
Content Restrictions
SLIDE 21
- Example site wants to force all content to be
served via HTTPS on port 443, from any subdomain of example.com
CSP: Use Case 4
Content Restrictions
allow https://*.x.com;
SLIDE 22
Wait! That breaks my site!
- Good Option: convert your site
- Less Good Option: disable parts of CSP
Content Restrictions
SLIDE 23
Ramping Up
- Disable some restrictions via options
- Report-Only mode
- “Writing a Policy” guide
- “Converting your Site” guide
- Maybe a policy recommendation tool?
Content Restrictions
SLIDE 24
Safe Platform
Safe Platform
SLIDE 25
Wrappers
Safe Platform
- XPCNativeWrapper
SLIDE 26
Wrappers
Safe Platform
- ChromeObjectWrapper
SLIDE 27
Wrappers
Safe Platform
- SafeJSObjectWrapper
JS
SLIDE 28
Wrappers
Safe Platform
- CrossOriginWrapper
SLIDE 29
Out of Process Plug-Ins
Safe Platform
Safe Platform
SLIDE 30
Add-Ons
Third-Party Features
SLIDE 31
XPCOM and IDL
Third-Party Features
SLIDE 32
XPCOM and IDL
Third-Party Features
Source: http://www.ibm.com/developerworks/java/library/os-xpcomfirefox/
SLIDE 33
Untamed Add-Ons
Third-Party Features
SLIDE 34
Jetpack
Third-Party Features
SLIDE 35
Jetpack
Third-Party Features
My Add-On
Jetpack Backend (XPCOM)
module module module module module module
API
SLIDE 36
Jetpack
Third-Party Features
My Add-On
Jetpack Backend (XPCOM)
module module module module module module
API JavaScript
SLIDE 37
Jetpack
Third-Party Features
My Add-On
Jetpack Backend (XPCOM)
module module module module module module
API
Capabilities:
- 1. http://foo.com
- 2. graphics
- 3. menus
SLIDE 38
Features and Your Privacy
Keeping your Secrets
SLIDE 39
History Sniffing
Keeping your Secrets
http://dbaron.org/mozilla/visited-privacy https://wiki.mozilla.org/User:Sidstamm/CSS_History_Sniffing_Links
SLIDE 40
Private Browsing
Keeping your Secrets
(roll-back time)
SLIDE 41
NPAPI Hooks
Keeping your Secrets
Private Browsing, Clear Recent History, etc
SLIDE 42
Browser Traces
Keeping your Secrets
SLIDE 43
Browser as a Protector
- Protect Site Content
- Safe Platform
- Third-Party Features
- Keeping your Secrets