Same origin policy and malicious scripts

Ungraded Quiz

• explain the Same-Origin policy — what is it and why do browsers need it?
• Sketch out a CSRF attack
• Describe how CSRF tokens work to prevent a CSRF attack

Key concepts

Same origin policy

• goal #1: prevent JavaScript from one site interfering with a web page from another site
  • without this, a malicious site could load JavaScript to read your credit card details on another site that you have loaded
• goal #2: allow friendly domains to share scripts (e.g. two divisions of the same company), allow ads from third parties
• reminder — sharing scripts is possible with

<script src="https://domain2/script.js" />

• origin = (scheme, host, port)

• same origin policy

  • lets a site load scripts, images, documents, etc from a different origin
  • but prevents the site from reading the script, image, document, etc that is loaded
  • also prevents a fetch() from the site to another origin

• see Figure 9.5, page 258

• see rules for matching origins, page 259

• the book discusses relaxing the same-origin policy by manipulating document.domain. This is now disallowed by browsers.

  • see also MDN docs

• different same-origin rules for cookies

• CORS — Cross-origin Resource Sharing allows a server to set policy for which origins may request its content via a fetch

Malicious scripts

• authentication cookies

  • used to identify a session after login
  • Set-Cookie: sessionID=abcd12345
  • should be sufficiently random and thus not easy to guess
  • should have an expiration time

• cookie theft

  • need to avoid sending cookies to malicious sites: HTTPOnly cookie attriute
  • need to avoid malicious HTTP proxies: Secure cookie attribute
  • non-script client-side malware (e.g. keylogger, malicious browser extension)
  • access to cookie storage on client side

• sensitive data in cookies should be encrypted and protected with a MAC (e.g. authenticated encryption) or encrypted and signed

• CSRF: Cross-Site Request Forgery

  • goal of the attacker is to control what is sent in a request that is authorized by an authentication cookie
  • see examples, page 261 and 262
  • can be hidden in a link or a zero-pixel image

• notes on CRSF

  • can’t rely on checking IP addresses, since the request comes from the victim
  • requires a current session — hence financial sites regularly log you out
  • can use an injected script, but doesn’t require one

• CRSF mitigation: secret validation tokens

  • for further reading, see OWASP CSRF prevention cheat sheet