We added new web-platform-tests tests for Fetch Metadata request headers and COEP/COOP response headers that improve browser security guarantees for users and web developers.
Testing New HTTP Headers for Better Browser Security Guarantees
Adding new WPT tests for Fetch Metadata, COEP, and COOP to improve browser security guarantees.View project
Given the interlinked nature of the web, it is difficult to ensure that embedded resources from different origins are safely isolated from a website’s sensitive user data. Cross-site request forgeries (CSRF) are among the most common types of security breaches because they allow attackers to convince the browser to perform authenticated requests that appear to originate from the website itself. Moreover, in a post-Spectre world, it is increasingly difficult to guarantee that a website’s context is unreadable by code running in contexts from other origins in the same browser process In the absence of such a guarantee, users face a greater risk of side-channel and timing attacks.
In order to offer multiple layers of protection against these attack vectors, the Google Information Security team collaborated with the Mozilla and Webkit teams to propose and implement new HTTP headers that will help browsers protect users and websites. The Fetch Metadata spec adds
Sec-Fetch-* request headers that provide additional context to servers to help make informed decisions upfront about whether a request is safe or dangerous. Meanwhile, the Cross Origin Embedder Policy (COEP) and Cross Origin Opener Policy (COOP) response headers allow a website to tell the browser that it should be isolated from other cross-origin resources and pages.
Google asked us to help audit the specifications for these new features and ensure that they have coverage in web-platform-tests (WPT). In the case of Fetch Metadata, we first needed to enumerate all of the ways that a browser could generate a request on behalf of a user, since each mechanism needed to be tested for the correct
Sec-Fetch-* headers. Meanwhile, testing COEP and COOP required designing complex tests that involve running code in multiple processes.
We audited the Fetch Metadata spec and put together an appendix of 94 ways the browser can be induced to make a request. The appendix highlighted mechanisms that needed spec clarifications or additional tests for
Sec-Fetch-* request headers. We then wrote a reusable WPT test generation framework that could automatically generate some of the missing coverage. Our contributions ensure that browsers generate the right request headers.
To address the need for COOP and COEP testing, we first audited the spec and filed issues to provide clarification for outstanding questions about how different header combinations are interpreted by different contexts and resources. Then we added better WPT support for header parsing logic, including Structured Header parameters. During the course of this work, we ended up fixing issues in the spec itself where behavior was underspecified. Finally, we added new assertions for the COOP and COEP response headers themselves.
Writing unambiguous, multi-feature web-platform-tests for these three cross-cutting security features ended up generating feedback, clarifications, and bug fixes for the underlying specifications. We uncovered edge conditions and an exhaustive list of browser request mechanisms. Beyond web platform security, our automated test generation framework may be used as a generic tool to help browser implementers maintain web-platform-tests for similarly cross-cutting features. We are currently evaluating its potential use in tests for Referrer-Policy, Mixed-content, and the Origin header.
For web developers and users, this work improves the safety of web browsers and reduces the vectors for malicious actors to steal sensitive user data. In the case of COOP and COEP, we’ve also empowered browsers to safely re-enable important, but previously risky features including SharedArrayBuffers and high resolution timers like performance.now(). These features allow web developers to build faster and more robust web apps that rival the raw performance of native threaded applications.
More work like this at Bocoup
P.O. Box 961436
Boston, MA 02196