Testing New HTTP Headers for Better Browser Security Guarantees

Google

Adding new WPT tests for Fetch Metadata, COEP, and COOP to improve browser security guarantees.

View project

We added new web-platform-tests tests for Fetch Metadata request headers and COEP/COOP response headers that improve browser security guarantees for users and web developers.

Challenge

Given the interlinked nature of the web, it is difficult to ensure that embedded resources from different origins are safely isolated from a website’s sensitive user data. Cross-site request forgeries (CSRF) are among the most common types of security breaches because they allow attackers to convince the browser to perform authenticated requests that appear to originate from the website itself. Moreover, in a post-Spectre world, it is increasingly difficult to guarantee that a website’s context is unreadable by code running in contexts from other origins in the same browser process In the absence of such a guarantee, users face a greater risk of side-channel and timing attacks.

In order to offer multiple layers of protection against these attack vectors, the Google Information Security team collaborated with the Mozilla and Webkit teams to propose and implement new HTTP headers that will help browsers protect users and websites. The Fetch Metadata spec adds Sec-Fetch-* request headers that provide additional context to servers to help make informed decisions upfront about whether a request is safe or dangerous. Meanwhile, the Cross Origin Embedder Policy (COEP) and Cross Origin Opener Policy (COOP) response headers allow a website to tell the browser that it should be isolated from other cross-origin resources and pages.

Google asked us to help audit the specifications for these new features and ensure that they have coverage in web-platform-tests (WPT). In the case of Fetch Metadata, we first needed to enumerate all of the ways that a browser could generate a request on behalf of a user, since each mechanism needed to be tested for the correct Sec-Fetch-* headers. Meanwhile, testing COEP and COOP required designing complex tests that involve running code in multiple processes.

Solution

We audited the Fetch Metadata spec and put together an appendix of 94 ways the browser can be induced to make a request. The appendix highlighted mechanisms that needed spec clarifications or additional tests for Sec-Fetch-* request headers. We then wrote a reusable WPT test generation framework that could automatically generate some of the missing coverage. Our contributions ensure that browsers generate the right request headers.

To address the need for COOP and COEP testing, we first audited the spec and filed issues to provide clarification for outstanding questions about how different header combinations are interpreted by different contexts and resources. Then we added better WPT support for header parsing logic, including Structured Header parameters. During the course of this work, we ended up fixing issues in the spec itself where behavior was underspecified. Finally, we added new assertions for the COOP and COEP response headers themselves.

Impact

Writing unambiguous, multi-feature web-platform-tests for these three cross-cutting security features ended up generating feedback, clarifications, and bug fixes for the underlying specifications. We uncovered edge conditions and an exhaustive list of browser request mechanisms. Beyond web platform security, our automated test generation framework may be used as a generic tool to help browser implementers maintain web-platform-tests for similarly cross-cutting features. We are currently evaluating its potential use in tests for Referrer-Policy, Mixed-content, and the Origin header.

For web developers and users, this work improves the safety of web browsers and reduces the vectors for malicious actors to steal sensitive user data. In the case of COOP and COEP, we’ve also empowered browsers to safely re-enable important, but previously risky features including SharedArrayBuffers and high resolution timers like performance.now(). These features allow web developers to build faster and more robust web apps that rival the raw performance of native threaded applications.

Contact Us

We'd love to hear from you. Get in touch!

Phone

+1 617-379-2752

Mail

P.O. Box 961436
Boston, MA 02196