Testing New HTTP Headers for Better Browser Security Guarantees

Given the interlinked nature of the web, it is difficult to ensure that embedded resources from different origins are safely isolated from a website’s sensitive user data. Cross-site request forgeries (CSRF) are among the most common types of security breaches because they allow attackers to convince the browser to perform authenticated requests that appear to originate from the website itself. Moreover, in a post-Spectre world, it is increasingly difficult to guarantee that a website’s context is unreadable by code running in contexts from other origins in the same browser process In the absence of such a guarantee, users face a greater risk of side-channel and timing attacks.

In order to offer multiple layers of protection against these attack vectors, the Google Information Security team collaborated with the Mozilla and Webkit teams to propose and implement new HTTP headers that will help browsers protect users and websites. The Fetch Metadata spec adds Sec-Fetch-* request headers that provide additional context to servers to help make informed decisions upfront about whether a request is safe or dangerous. Meanwhile, the Cross Origin Embedder Policy (COEP) and Cross Origin Opener Policy (COOP) response headers allow a website to tell the browser that it should be isolated from other cross-origin resources and pages.

Google asked us to help audit the specifications for these new features and ensure that they have coverage in web-platform-tests (WPT). In the case of Fetch Metadata, we first needed to enumerate all of the ways that a browser could generate a request on behalf of a user, since each mechanism needed to be tested for the correct Sec-Fetch-* headers. Meanwhile, testing COEP and COOP required designing complex tests that involve running code in multiple processes.

We audited the Fetch Metadata spec and put together an appendix of 94 ways the browser can be induced to make a request. The appendix highlighted mechanisms that needed spec clarifications or additional tests for Sec-Fetch-* request headers. We then wrote a reusable WPT test generation framework that could automatically generate some of the missing coverage. Our contributions ensure that browsers generate the right request headers.

To address the need for COOP and COEP testing, we first audited the spec and filed issues to provide clarification for outstanding questions about how different header combinations are interpreted by different contexts and resources. Then we added better WPT support for header parsing logic, including Structured Header parameters. During the course of this work, we ended up fixing issues in the spec itself where behavior was underspecified. Finally, we added new assertions for the COOP and COEP response headers themselves.