Ian PrestonDec 21, 2022
G'day @we1x, I'd love to hear your thoughts on our use of CSP and COOP to sandbox and isolate user created apps on hash based subdomains in @peergos There's an overview here: https://peergos.org/posts/a-better-web but I'd love to talk if you're interested.
A better web

Show threadLukas WeichselbaumDec 21, 2022
@ianopolous @peergos Hi Ian, this is an interesting proposal. CSP can usually not prevent exfiltration of data once untrusted/malicious scripts can be executed in the origin where the sensitive data lives. For example CSP does not restrict navigation and therefore navigating a site (or opening a new window) can be used to exfiltrate data. E.g. navigating to example.com?x=some-data.
However, I don't know your setup so my comment may or may not be accurate here.
You can find more examples on slide 25 here: https://conference.hitb.org/hitbsecconf2018ams/materials/D2T2%20-%20Michele%20Spagnuolo%20&%20Lukas%20Weichselbaum%20-%20Defense-in-Depth%20Techniques%20for%20Modern%20Web%20Applications%20and%20Google%E2%80%99s%20Journey%20with%20CSP.pdf
Show threadIan PrestonDec 22, 2022
@we1x @peergos Are you aware of any plans for full exfiltration protection beyond webrtc and prefetch-src? Many groups would love this.
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos Full exfiltration protection would be hard to achieve for CSP and is not something CSP was designed for. Furthermore, the proposed navigate-to directive has been deprecated due to security issues it would introduce (iirc the implementation would have allowed certain information leaks): https://github.com/w3c/webappsec-csp/pull/564
Remove `navigate-to`. by mikewest · Pull Request #564 · w3c/webappsec-csp

Though there's an implementation of this directive behind a flag in Chromium, it's not something that any vendor has shipped, and there are real concerns about information leaks that it enables. Th...

GitHub
Show threadIan Preston
@we1x @peergos Great to see the recent work on making prefetch-src implicit (https://github.com/w3c/webappsec-csp/pull/582). I double checked our sandbox setup, and we are able to block iframe navigation and window.open with frame-src CSP and that the subdomain is sandboxed and doesn't have "allow-popup".
Use "least restrictive" directive instead of `prefetch-src` by noamr · Pull Request #582 · w3c/webappsec-csp

When prefetching a resource (or preconnecting to an origin), the destination of the request is unknown and also not important. e.g. if this resource is a script and would be disallowed by script-sr...

GitHub
Dec 22, 2022 at 8:55pmWeb
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos Yes, being in a sandboxed iframe probably helps if you can control the CSP (and frame-src) for that frame as well.
Show threadIan PrestonDec 22, 2022
@we1x @peergos Yep, each iframe is on a unique subdomain which sets the CSP sandbox server side: https://github.com/Peergos/Peergos/blob/master/src/peergos/server/net/StaticHandler.java#L141
Peergos/StaticHandler.java at master · Peergos/Peergos

A p2p, secure file storage, social network and application protocol - Peergos/StaticHandler.java at master · Peergos/Peergos

GitHub
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos you may also want to restrict `form-action` action then to prevent exfiltration via JS submitted forms.