Conversation

When you're reading articles and papers about interesting attacks, it's helpful to remember that there are very concrete things you can do to protect your web applications from side-channels: w3c.github.io/webappsec-post lays out effective mitigation strategies. Try them out!

Quote Tweet

Catalin Cimpanu

@campuscodi

Sep 8, 2021

New CPU side-channel attack named Spook.js takes aim at Chrome’s Site Isolation feature therecord.media/new-cpu-side-c

Show this thread

Replying to

and

I practically tried to deploy these on my very simple private webpage and stumbled upon several bugs in firefox that I was surprised weren't really prioritized. As long as this breaks things people won't deploy.

Replying to

and

here cache doing weird things on reload bugzilla.mozilla.org/show_bug.cgi?i and here rss feeds break in thunderbird

bugzilla.mozilla.org

1698755 - Cross-Origin-Resource-Policy: same-origin header breaks RSS in Thunderbird

NEW (nobody) in Thunderbird - General. Last updated 2021-06-30.

Replying to

and

Thunderbird issue is definitely a bug. However, there's not much loss from Cross-Origin-Resource-Policy: cross-origin for completely static assets. It's needed to permit image hotlinking which is unfortunately broadly used for favicon, open graph images, etc. despite being gross.

Replying to

We've ended declaring the other headers globally but specifying Cross-Origin-Resource-Policy on a case-by-case basis in our nginx configurations. For example, attestation.app has as github.com/GrapheneOS/Att for the baseline configuration. It largely works fine for us.

github.com

AttestationServer/security-headers.conf at main · GrapheneOS/AttestationServer

attestation.app remote attestation server. Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a re...

Replying to

Firefox bugs may be an issue for element.grapheneos.org since we rely on CORP cross-origin headers being set on matrix.grapheneos.org. It's not an open registration server though, and our dozen users (moderators, developers) are using Chromium-based browsers including Edge.

grapheneos.org

GrapheneOS servers

Documentation on GrapheneOS servers.

Replying to

Can see various notes in github.com/GrapheneOS/gra about where we had to enable cross-enable CORP. Mostly need it for image hotlinking for images with a stable URL but there was also a terrible Chromium PDF viewer bug which they worked around by disabling range-based loading.

github.com

grapheneos.org/nginx.conf at main · GrapheneOS/grapheneos.org

Main website servers. Contribute to GrapheneOS/grapheneos.org development by creating an account on GitHub.

Replying to

Ran into Thunderbird RSS issue too with our atom feed for releases. Don't really care about needing to set cross-origin CORP for static assets though. matrix.grapheneos.org needs cross-origin CORP for everything for Element Web to use it but Matrix doesn't use cookies anyway.

grapheneos.org

GrapheneOS servers

Documentation on GrapheneOS servers.

9:39 AM · Sep 9, 2021Twitter Web App