Securely Internet hosting Consumer Knowledge in Fashionable Net Purposes

Many net purposes have to show user-controlled content material. This may be so simple as serving user-uploaded pictures (e.g. profile images), or as complicated as rendering user-controlled HTML (e.g. an online growth tutorial). This has at all times been tough to do securely, so we’ve labored to seek out straightforward, however safe options that may be utilized to most sorts of net purposes.

The basic resolution for securely serving user-controlled content material is to make use of what are generally known as “sandbox domains”. The fundamental concept is that in case your utility’s foremost area is instance.com, you might serve all untrusted content material on exampleusercontent.com. Since these two domains are cross-site, any malicious content material on exampleusercontent.com can’t impression instance.com.

This strategy can be utilized to soundly serve all types of untrusted content material together with pictures, downloads, and HTML. Whereas it might not appear to be it’s crucial to make use of this for pictures or downloads, doing so helps keep away from dangers from content material sniffing, particularly in legacy browsers.

Sandbox domains are extensively used throughout the trade and have labored effectively for a very long time. However, they’ve two main downsides:

1. Purposes usually want to limit content material entry to a single person, which requires implementing authentication and authorization. Since sandbox domains purposefully don’t share cookies with the primary utility area, that is very tough to do securely. To assist authentication, websites both must depend on functionality URLs, or they must set separate authentication cookies for the sandbox area. This second technique is very problematic within the trendy net the place many browsers prohibit cross-site cookies by default.
2. Whereas person content material is remoted from the primary website, it isn’t remoted from different person content material. This creates the danger of malicious person content material attacking different information on the sandbox area (e.g. through studying same-origin information).

It’s also value noting that sandbox domains assist mitigate phishing dangers since sources are clearly segmented onto an remoted area.

Over time the online has developed, and there are actually simpler, safer methods to serve untrusted content material. There are numerous completely different approaches right here, so we’ll define two options which can be presently in extensive use at Google.

Method 1: Serving Inactive Consumer Content material

If a website solely must serve inactive person content material (i.e. content material that’s not HTML/JS, for instance pictures and downloads), this could now be safely achieved with out an remoted sandbox area. There are two key steps:

1. All the time set the Content material-Kind header to a well known MIME sort that’s supported by all browsers and assured to not comprise lively content material (when doubtful, utility/octet-stream is a protected selection).
2. As well as, at all times set the under response headers to make sure that the browser absolutely isolates the response.

This mix of headers ensures that the response can solely be loaded as a subresource by your utility, or downloaded as a file by the person. Moreover, the headers present a number of layers of safety in opposition to browser bugs by way of the CSP sandbox header and the default-src restriction. General, the setup outlined above gives a excessive diploma of confidence that responses served on this method can not result in injection or isolation vulnerabilities.

Protection In Depth

Whereas the above resolution represents a usually ample protection in opposition to XSS, there are a selection of extra hardening measures which you could apply to supply extra layers of safety:

• Set a X-Content material-Safety-Coverage: sandbox header for compatibility with IE11
• Set a Content material-Safety-Coverage: frame-ancestors 'none' header to dam the endpoint from being embedded
• Sandbox person content material on an remoted subdomain by:
  • Serving person content material on an remoted subdomain (e.g. Google makes use of domains akin to product.usercontent.google.com)
  • Set Cross-Origin-Opener-Coverage: same-origin and Cross-Origin-Embedder-Coverage: require-corp to allow cross-origin isolation

Method 2: Serving Energetic Consumer Content material

Safely serving lively content material (e.g. HTML or SVG pictures) will also be achieved with out the weaknesses of the basic sandbox area strategy.

The best choice is to benefit from the Content material-Safety-Coverage: sandbox header to inform the browser to isolate the response. Whereas not all net browsers presently implement course of isolation for sandbox paperwork, ongoing refinements to browser course of fashions are seemingly to enhance the separation of sandboxed content material from embedding purposes. If SpectreJS and renderer compromise assaults are outdoors of your risk mannequin, then utilizing CSP sandbox is probably going a ample resolution.

At Google, we’ve developed an answer that may absolutely isolate untrusted lively content material by modernizing the idea of sandbox domains. The core concept is to:

1. Create a brand new sandbox area that’s added to the public suffix checklist. For instance, by including exampleusercontent.com to the PSL, you’ll be able to be sure that foo.exampleusercontent.com and bar.exampleusercontent.com are cross-site and thus absolutely remoted from one another.
2. URLs matching *.exampleusercontent.com/shim are all routed to a static shim file. This shim file incorporates a brief HTML/JS snippet that listens to the message occasion handler and renders any content material it receives.
3. To make use of this, the product creates both an iframe or a popup to $RANDOM_VALUE.exampleusercontent.com/shim and makes use of postMessage to ship the untrusted content material to the shim for rendering.
4. The rendered content material is remodeled to a Blob and rendered inside a sandboxed iframe.

In comparison with the basic sandbox area strategy, this ensures that every one content material is absolutely remoted on a singular website. And, by having the primary utility take care of retrieving the information to be rendered, it’s now not crucial to make use of functionality URLs.

Collectively, these two options make it potential emigrate off of basic sandbox domains like googleusercontent.com to safer options which can be appropriate with third-party cookie blocking. At Google, we’ve already migrated many merchandise to make use of these options and have extra migrations deliberate for the following 12 months. We hope that by sharing these options, we can assist different web sites simply serve untrusted content material in a safe method.