Conversation

When you're reading articles and papers about interesting attacks, it's helpful to remember that there are very concrete things you can do to protect your web applications from side-channels: w3c.github.io/webappsec-post lays out effective mitigation strategies. Try them out!

Quote Tweet

Catalin Cimpanu

@campuscodi

Sep 8, 2021

New CPU side-channel attack named Spook.js takes aim at Chrome’s Site Isolation feature therecord.media/new-cpu-side-c

Show this thread

Replying to

and

I practically tried to deploy these on my very simple private webpage and stumbled upon several bugs in firefox that I was surprised weren't really prioritized. As long as this breaks things people won't deploy.

Replying to

and

here cache doing weird things on reload bugzilla.mozilla.org/show_bug.cgi?i and here rss feeds break in thunderbird

bugzilla.mozilla.org

1698755 - Cross-Origin-Resource-Policy: same-origin header breaks RSS in Thunderbird

NEW (nobody) in Thunderbird - General. Last updated 2021-06-30.

Replying to

and

Thunderbird issue is definitely a bug. However, there's not much loss from Cross-Origin-Resource-Policy: cross-origin for completely static assets. It's needed to permit image hotlinking which is unfortunately broadly used for favicon, open graph images, etc. despite being gross.

9:32 AM · Sep 9, 2021Twitter Web App

Replying to

We've ended declaring the other headers globally but specifying Cross-Origin-Resource-Policy on a case-by-case basis in our nginx configurations. For example, attestation.app has as github.com/GrapheneOS/Att for the baseline configuration. It largely works fine for us.

github.com

AttestationServer/security-headers.conf at main · GrapheneOS/AttestationServer

attestation.app remote attestation server. Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a re...

Replying to

Firefox bugs may be an issue for element.grapheneos.org since we rely on CORP cross-origin headers being set on matrix.grapheneos.org. It's not an open registration server though, and our dozen users (moderators, developers) are using Chromium-based browsers including Edge.

grapheneos.org

GrapheneOS servers

Documentation on GrapheneOS servers.

Show replies

Replying to

and

Entirely right. If you know that a particular resource isn't personalized, and would be available to an attacker who knows how to use `curl`, then it's totally reasonable to mark it as `CORP: cross-origin`, a la resourcepolicy.fyi/#cross-origin.

resourcepolicy.fyi

Consider deploying Cross-Origin Resource Policy.

`Cross-Origin-Resource-Policy: same-origin` is always safe. `Cross-Origin-Resource-Policy: cross-site` is always compatible.