Securely Internet hosting Consumer Information in Trendy Net Purposes

Many internet functions must show user-controlled content material. This may be so simple as serving user-uploaded photographs (e.g. profile pictures), or as complicated as rendering user-controlled HTML (e.g. an online growth tutorial). This has at all times been troublesome to do securely, so we’ve labored to seek out simple, however safe options that may be utilized to most forms of internet functions.

The traditional resolution for securely serving user-controlled content material is to make use of what are generally known as “sandbox domains”. The essential concept is that in case your utility’s important area is instance.com, you would serve all untrusted content material on exampleusercontent.com. Since these two domains are cross-site, any malicious content material on exampleusercontent.com can’t influence instance.com.

This strategy can be utilized to soundly serve every kind of untrusted content material together with photographs, downloads, and HTML. Whereas it might not seem to be it’s obligatory to make use of this for photographs or downloads, doing so helps keep away from dangers from content material sniffing, particularly in legacy browsers.

Sandbox domains are extensively used throughout the trade and have labored effectively for a very long time. However, they’ve two main downsides:

1. Purposes usually want to limit content material entry to a single person, which requires implementing authentication and authorization. Since sandbox domains purposefully don’t share cookies with the principle utility area, that is very troublesome to do securely. To assist authentication, websites both must depend on functionality URLs, or they must set separate authentication cookies for the sandbox area. This second methodology is particularly problematic within the fashionable internet the place many browsers limit cross-site cookies by default.
2. Whereas person content material is remoted from the principle website, it isn’t remoted from different person content material. This creates the chance of malicious person content material attacking different information on the sandbox area (e.g. through studying same-origin information).

It’s also price noting that sandbox domains assist mitigate phishing dangers since assets are clearly segmented onto an remoted area.

Over time the online has advanced, and there at the moment are simpler, safer methods to serve untrusted content material. There are various completely different approaches right here, so we are going to define two options which are presently in extensive use at Google.

Method 1: Serving Inactive Consumer Content material

If a website solely must serve inactive person content material (i.e. content material that’s not HTML/JS, for instance photographs and downloads), this may now be safely completed with out an remoted sandbox area. There are two key steps:

1. At all times set the Content material-Kind header to a widely known MIME sort that’s supported by all browsers and assured to not comprise lively content material (when unsure, utility/octet-stream is a secure alternative).
2. As well as, at all times set the beneath response headers to make sure that the browser totally isolates the response.

This mix of headers ensures that the response can solely be loaded as a subresource by your utility, or downloaded as a file by the person. Moreover, the headers present a number of layers of safety towards browser bugs by way of the CSP sandbox header and the default-src restriction. General, the setup outlined above offers a excessive diploma of confidence that responses served on this approach can not result in injection or isolation vulnerabilities.

Protection In Depth

Whereas the above resolution represents a typically ample protection towards XSS, there are a variety of extra hardening measures that you would be able to apply to supply extra layers of safety:

• Set a X-Content material-Safety-Coverage: sandbox header for compatibility with IE11
• Set a Content material-Safety-Coverage: frame-ancestors 'none' header to dam the endpoint from being embedded
• Sandbox person content material on an remoted subdomain by:
  • Serving person content material on an remoted subdomain (e.g. Google makes use of domains corresponding to product.usercontent.google.com)
  • Set Cross-Origin-Opener-Coverage: same-origin and Cross-Origin-Embedder-Coverage: require-corp to allow cross-origin isolation

Method 2: Serving Lively Consumer Content material

Safely serving lively content material (e.g. HTML or SVG photographs) will also be completed with out the weaknesses of the traditional sandbox area strategy.

The only possibility is to benefit from the Content material-Safety-Coverage: sandbox header to inform the browser to isolate the response. Whereas not all internet browsers presently implement course of isolation for sandbox paperwork, ongoing refinements to browser course of fashions are probably to enhance the separation of sandboxed content material from embedding functions. If SpectreJS and renderer compromise assaults are outdoors of your risk mannequin, then utilizing CSP sandbox is probably going a ample resolution.

At Google, we’ve developed an answer that may totally isolate untrusted lively content material by modernizing the idea of sandbox domains. The core concept is to:

1. Create a brand new sandbox area that’s added to the public suffix checklist. For instance, by including exampleusercontent.com to the PSL, you possibly can make sure that foo.exampleusercontent.com and bar.exampleusercontent.com are cross-site and thus totally remoted from one another.
2. URLs matching *.exampleusercontent.com/shim are all routed to a static shim file. This shim file incorporates a brief HTML/JS snippet that listens to the message occasion handler and renders any content material it receives.
3. To make use of this, the product creates both an iframe or a popup to $RANDOM_VALUE.exampleusercontent.com/shim and makes use of postMessage to ship the untrusted content material to the shim for rendering.
4. The rendered content material is remodeled to a Blob and rendered inside a sandboxed iframe.

In comparison with the traditional sandbox area strategy, this ensures that each one content material is totally remoted on a singular website. And, by having the principle utility cope with retrieving the information to be rendered, it’s not obligatory to make use of functionality URLs.

Collectively, these two options make it attainable emigrate off of traditional sandbox domains like googleusercontent.com to safer options which are suitable with third-party cookie blocking. At Google, we’ve already migrated many merchandise to make use of these options and have extra migrations deliberate for the subsequent 12 months. We hope that by sharing these options, we will help different web sites simply serve untrusted content material in a safe method.