Resource Isolation Policy prevents external websites from requesting your resources. Blocking such traffic mitigates common web vulnerabilities such as CSRF, XSSI, or XS-Leaks. The policy can be enabled for applications whose endpoints are not intended to be loaded in a cross-site context and will allow resource requests coming from your application as well as direct navigations. Implementation with Fetch Metadata # The below snippet showcases an example implementation of the Resource Isolati...| Introduction on XS-Leaks Wiki
We can distinguish two types of clocks – explicit and implicit. Explicit clocks are used by developers to get direct timing measurements, mechanisms of this type are offered explicitly by the browser. In contrast, implicit clocks utilize particular web features to create unintended clocks that allow measuring the relative passage of time. Explicit Clocks # performance.now API # The performance.now() API allows developers to get high-resolution timing measurements. info| Introduction on XS-Leaks Wiki
Cross-site search (XS-Search) is an important attack principle in the family of XS-Leaks. This type of attack abuses Query-Based Search Systems to leak user information from an attacker origin 12. The original attack uses timing measurements to detect whether or not a search system returns results and works as follows: Establish a baseline of the time needed for a request to return results (hit), and a baseline for the time needed by a request with no results (miss). Start a timing attack on ...| Introduction on XS-Leaks Wiki
Framing Isolation Policy is a stricter version of Framing Protections where the request gets blocked at the application level rather than by the browser. This is designed to protect against various attacks (e.g. XSSI, CSRF, XS-Leaks) by blocking framing requests to endpoints that are not intended to be framable. It can be combined with Resource Isolation Policy to effectively tighten the attack surface within cross-site information leaks. tip Instead of rejecting all non-framable endpoints, t...| Introduction on XS-Leaks Wiki
If a page sets its opener property to null or is using COOP protection depending on the users’ state, it becomes possible to infer cross-site information about that state. For example, attackers can detect whether a user is logged in by opening an endpoint in an iframe (or a new window) which only authenticated users have access to, simply by checking its window reference. Run demo Code Snippet # The below snippet demonstrates how to detect whether the opener property was set to null, or wh...| Introduction on XS-Leaks Wiki
Cross-Origin Read Blocking (CORB) is a web platform security feature aimed at reducing the impact of speculative side-channel attacks such as Spectre. Unfortunately, blocking certain types of requests introduced a new type of XS-Leaks 1 that allows attackers to detect if CORB was enforced on one request, but wasn’t on another. Nevertheless, the introduced XS-Leaks are much less problematic than the issues actively protected by CORB (e.g. Spectre). info| Introduction on XS-Leaks Wiki
Explanation # Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to CORB, applications can introduce a new XS-Leak if they misconfigure the use of this protection. A webpage will introduce an XS-Leak if CORP is enforced based on user data. If a pag...| Introduction on XS-Leaks Wiki
CSS Tricks # CSS can be used to trick a user into exposing information such as embedded pixel values by making visual changes that are affected by the embed. Retrieving user’s history # Using the CSS :visited selector, it’s possible to apply a different style for URLs that have been visited. Previously it was possible to use getComputedStyle() to detect this difference, but now browsers prevent this by always returning values as if the link was visited and limiting what styles can be appl...| Introduction on XS-Leaks Wiki
When a webpage issues a request to a server (e.g. fetch, HTML tags), the server receives and processes this request. When received, the server decides whether the request should succeed (e.g. 200) or fail (e.g. 404) based on the provided context. When a response has an error status, an error event is fired by the browser for the page to handle. These errors also cover situations where the parser fails, for example when trying to embed HTML content as an image.| Introduction on XS-Leaks Wiki
Window references allow cross-origin pages to get access to some of the attributes of other pages. These references become available when using or allowing iframe and window.open. The references provide (limited) information about the window as they still respect the same-origin policy. One of the accessible attributes is window.length which provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.| Introduction on XS-Leaks Wiki
Detecting if a cross-site page triggered a navigation (or didn’t) can be useful to an attacker. For example, a website may trigger a navigation in a certain endpoint depending on the status of the user. To detect if any kind of navigation occurred, an attacker can: Use an iframe and count the number of times the onload event is triggered. Check the value of history.length, which is accessible through any window reference. This provides the number of entries in the history of a victim that w...| Introduction on XS-Leaks Wiki
Network Timing side-channels have been present on the web since its inception 12. These attacks have had different levels of impact over time, gaining new attention when browsers started shipping high-precision timers like performance.now(). To obtain timing measurements, attackers must use a clock, either an implicit or an explicit one. These clocks are usually interchangeable for the purposes of XS-Leaks and only vary in accuracy and availability. For simplicity, this article assumes the us...| Introduction on XS-Leaks Wiki
Performance API # The Performance API provides access to performance-related information enhanced by the data from the Resource Timing API which provides the timings of network requests such as the duration but when there’s a Timing-Allow-Origin: * header sent by the server the transfer size and domain lookup time is also provided. This data can be accessed by using performance.getEntries or performance.getEntriesByName It can also be used to get the execution time using the difference of p...| Introduction on XS-Leaks Wiki
The principle of Cache Probing consists of detecting whether a resource was cached by the browser. The concept has been known since the beginning of the web 1 and initially relied on detecting timing differences. When a user visits a website, some resources such as images, scripts, and HTML content are fetched and later cached by the browser (under certain conditions). This optimization makes future navigations faster as the browser serves those resources from disk instead of requesting them ...| Introduction on XS-Leaks Wiki
Some HTML Elements might be used to leak a portion of data to a cross-origin page. For example, the below media resources can leak information about its size, duration, type. HTMLMediaElement leaks the media duration and the buffered times. Run demo HTMLVideoElement leaks the videoHeight and videoWidth some browsers may also have webkitVideoDecodedByteCount, webkitAudioDecodedByteCount and webkitDecodedFrameCount getVideoPlaybackQuality() leaks the totalVideoFrames. HTMLImageElement leaks the...| Introduction on XS-Leaks Wiki
Navigation Isolation Policy is a server-side protection mechanism intended to mitigate CSRF, clickjacking, reflected XSS, and XS-Leaks that make use of cross-site window contexts. This is a strict policy and has the potential to break an application since it blocks all cross-site navigations, including navigations through hyperlinks. tip Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. Confirm that you visited this page from a trusted or...| Introduction on XS-Leaks Wiki
Measuring the time of JavaScript execution in a browser can give attackers information on when certain events are triggered, and how long some operations take. Timing the Event Loop # JavaScript’s concurrency model is based on a single-threaded event loop which means it can only run one task at a time. If, for example, some time-consuming task blocks the event loop, the user can perceive a freeze on a page as a result of the UI thread being starved. Other tasks must wait until the blocking ...| Introduction on XS-Leaks Wiki
Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include: Network delays Document parsing Retrieval and processing of subresources Code execution Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data withi...| Introduction on XS-Leaks Wiki
The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the sa...| Introduction on XS-Leaks Wiki
Applications often use postMessage broadcasts to share information with other origins. Using postMessage can lead to two kinds of XS-Leaks: Sharing sensitive messages with untrusted origins The postMessage API supports a targetOrigin parameter that can be used to restrict which origins can receive the message. If the message contains any sensitive data, it is important to use this parameter. Leaking information based on varying content or on the presence of a broadcast| Introduction on XS-Leaks Wiki
Strict Isolation Policy is intended to protect against all cross-site interactions (including navigations to the application through hyperlinks). This is a very strict policy that has the potential to prevent applications from functioning properly. tip Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. Confirm that you visited this page from a trusted origin, to mitigate the risk of attacks in the background, and, at the same time, help pr...| Introduction on XS-Leaks Wiki
CSS Injection # warning This group of XS-Leaks requires a CSS injection on the target page. Among the different CSS injection vectors, the most noticeable one is the abuse of CSS Selectors. They can be used as an expression to match and select certain HTML elements. For example, the selector input[value^="a"] is matched if the value of an input tag starts with the character “a”. So, to detect if a CSS Selector matches the expression, attackers can trigger a callback to one of their websit...| Introduction on XS-Leaks Wiki
In Chromium-based browsers, when a file was downloaded, a preview of the download process appeared in a bar at the bottom, integrated into the browser window. By monitoring the window height, attackers could detect whether the “download bar” opened: // Read the current height of the window var screenHeight =window.innerHeight; // Load the page that may or may not trigger the download window.open('https://example.org'); // Wait for the tab to load setTimeout(() => { // If the download bar ...| Introduction on XS-Leaks Wiki
Fetch Metadata Request Headers are sent by browsers with HTTPS requests. These headers provide context on how a request was initiated so that applications are able to make more informed decisions on how to respond to them. This allows servers to behave differently when they detect potential attacks (e.g. unexpected cross-origin requests). This can be very effective against cross-origin attacks like XSSI, XS-Leaks, Clickjacking, and CSRF if a strict policy is deployed on the server.| Introduction on XS-Leaks Wiki
There are a number of different approaches applications can use to defend against cache probing-based XS-Leaks. These approaches are explained in the following sections. Cache Protection via Cache-Control Headers # If it is acceptable to disable caching, doing so provides a strong defense against cache probing attacks. Disabling caching means that every time someone loads a resource, the resource has to be fetched again. To disable caching, set a Cache-Control: no-store header on every single...| Introduction on XS-Leaks Wiki
Leaking the Content-Type of a request would provide attackers with a new way of distinguishing two requests from each other. typeMustMatch # typeMustMatch is a Boolean that reflects the typeMustMatch attribute of the object element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the Content-Type of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the Content-Type and Status ...| Introduction on XS-Leaks Wiki
Cross-Origin Read Blocking (CORB) is a security mechanism that prevents attackers from loading certain cross-origin resources 1. This protection was created to defend against speculative side-channel attacks such as Spectre that allow attackers to read the memory of the process that both cross-site pages (e.g. attacker.com and sensitive.com) were embedded into. CORB aims to prevent attackers from loading certain sensitive cross-origin resources into an attacker-controlled process. For example...| Introduction on XS-Leaks Wiki
Getting access to a website’s window object is a common prerequisite for different XS-Leak techniques. Framing Protections can ensure that an attacker cannot use iframes to access the window object, but this does not stop an attacker from accessing the window object from an opened window through window.open(url) or window.opener references. Exploiting XS-Leaks with window.open is generally seen as the least appealing option for an attacker because the user can see it happen in the open brow...| Introduction on XS-Leaks Wiki
Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. CORP is designed to protect against both speculative execution attacks and XS-Leaks by allowing developers to ensure that sensitive resources cannot end up in attacker-controlled processes. Unlike CORB, this protection i...| Introduction on XS-Leaks Wiki
A considerable number of XS-Leaks rely on some of the properties of iframes. If an attacker is unable to embed the contents of a page as an iframe, frame, embed or object, then the attack may no longer be possible. To mitigate XS-Leaks which rely on these objects, pages can forbid or select which origins can embed them. Doing so is possible by using the X-Frame-Options header or the CSP frame-ancestors directive.| Introduction on XS-Leaks Wiki
In order to defend against cache probing attacks, browser developers are actively working on implementing a partitioned HTTP cache functionality that would in essence ensure each website has a distinct cache. Since cache probing relies on the fact that a browser’s HTTP cache is shared across every website, a partitioned HTTP cache can defend against many cache probing techniques. This is done by using tuples (either (top-frame-site, resource-url) like firefox 1 or (top-frame-site, framing-s...| Introduction on XS-Leaks Wiki
Portals are a new feature of the web which is similar to iframes, but with more emphasis on speed and user experience. The portal element is only available on Chromium-based browsers under a preference flag. The corresponding specification is still under active discussion. Unfortunately, research of this new feature has discovered some critical issues, including new XS-Leaks 1. ID Leaks # Portals can be abused as an alternative to the ID Attribute XS-Leak. If a website sets framing protection...| Introduction on XS-Leaks Wiki
SameSite cookies are one of the most impactful modern security mechanisms for fixing security issues that involve cross-site requests. This mechanism allows applications to force browsers to only include cookies in requests that are issued same-site 1. This type of cookie has three modes: None, Lax, and Strict. SameSite Cookie Modes # The following SameSite cookie modes are available: None – Disables all protections and restores the old behavior of cookies. This mode is not recommended.| Introduction on XS-Leaks Wiki
Scroll to Text Fragment (STTF) is a new web platform feature that allows users to create a link to any part of a web page text. The fragment #:~:text= carries a text snippet that is highlighted and brought into the viewport by the browser. This feature can introduce a new XS-Leak if attackers are able to detect when this behavior occurs. This issue is very similar to the Scroll to CSS Selector XS-Leak.| Introduction on XS-Leaks Wiki
Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side effects on those states. WebKit – ITP # Intelligent Tracking Prevention (ITP) is a privacy feature which is part of WebKit Tracking Prevention technologies. It’s a conjunction of several features and aims to prevent a website from tracking a use...| Introduction on XS-Leaks Wiki
The fundamental idea behind designing protections for subresources is that subresources cannot be targeted by XS-Leaks if the attacker cannot make them return any user data. If implemented correctly, this approach can be a very strong defense, though it is likely to be tough to implement and could negatively impact the user experience. tip It can be very effective to deploy this approach on any specific resources that are known to be especially sensitive to XS-Leaks. But, due to the challenge...| Introduction on XS-Leaks Wiki
Document-Policy is an experimental mechanism, similar to another experimental Feature Policy 1, used to cover features which are more about configuring a document, or removing features (sandboxing) from a document or a frame. 2 It can be for example set in a header response as shown in the example below. example Document-Policy: unsized-media=?0, document-write=?0, max-image-bpp=2.0, frame-loading=lazy ForceLoadAtTop # The ForceLoadAtTop feature provides an opt-out for Scroll To Text (and oth...| XS-Leaks Wiki
XS-Leaks Wiki # Overview # Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels 1 built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms 2 to infer information about the user. One way of looking at XS-Leaks is to highlight their similarity with cross-site request forgery (CSRF 3) techniques, with the main difference being th...| XS-Leaks Wiki
Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. Run demo (Chrome) Run demo (Firefox) To exploit the existence of this limit, attackers can: Check what the limit of the browser is, for example 256 global sockets for TCP and 6000 global sockets for UDP. 23 Block \(255\) sockets fo...| XS-Leaks Wiki