From 0b5bcf375c00316b7d44cbf5d98696b5786480cb Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 4 Aug 2020 13:13:49 +0100
Subject: [PATCH 01/40] Add Double Keyd Cache references and article strucure.
---
.../browser-intrinsic/double-keyd-cache.md | 60 ++++++++++++++++++-
1 file changed, 59 insertions(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
index a29e80106..2648ef7d9 100644
--- a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
+++ b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
@@ -6,4 +6,62 @@ category = "defenses"
menu = "main"
+++
-TODO
\ No newline at end of file
+## Explanation
+
+
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1590107
+https://bugs.chromium.org/p/chromium/issues/detail?id=910708
+
+<!--TODO(manuelvsousa): Add reference to cache probing attacks and maybe socket exhaustion-->
+
+
+## Relevant Projects
+
+### Intelligent Tracking Prevention
+
+
+
+
+WebKit
+https://webkit.org/tracking-prevention/
+https://bugs.webkit.org/show_bug.cgi?id=110269
+
+
+{{< hint warning >}}
+A number of XS-Leaks resulted in browser features triggering changes in fundamental web platform features. An [XS-Leak abused ITP features](https://TODO) which could lead to private information leaks.
+{{< /hint >}}
+
+<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->
+
+### First Party Isolation
+
+Mozilla
+
+https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
+
+## Considerations
+
+
+## XS-Leaks Mitigation Overview
+
+| XS-Leak | Double Keyd Cache Mitigation | Full Mitigation |
+|:-----------------------------------------------------------------:|:----------------------------:|:-------------------:
+| [Frame Counting]({{< ref "../../attacks/frame-counting.md" >}}) | ❌ | ❌
+| [Navigations]({{< ref "../../attacks/navigations.md" >}}) | ❌ | ❌
+| [ID Leaks]({{< ref "../../attacks/id-attribute.md" >}}) | ❌ | ❌
+
+### Table Caption
+
+- **Double Keyd Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the mechanism would exist
+- **Full Mitigation** - Fully mitigates an XS-Leak if the mechanism would exist
+
+
+[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)
+[^2]: Explainer - Partition the HTTP Cache, [link](https://github.com/shivanigithub/http-cache-partitioning)
+[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
+
+
+
+
+
From 9560b176416d4736c0a329bb906011b7b70a75c0 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Wed, 5 Aug 2020 11:48:08 +0100
Subject: [PATCH 02/40] Add Draft for Partitioned caches.
---
.../browser-intrinsic/double-keyd-cache.md | 34 +++++++++----------
1 file changed, 16 insertions(+), 18 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
index 2648ef7d9..1708a62a9 100644
--- a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
+++ b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
@@ -1,5 +1,5 @@
+++
-title = "Double Keyed Cache"
+title = "Partitioned HTTP Cache"
description = ""
date = "2020-07-21"
category = "defenses"
@@ -8,44 +8,42 @@ menu = "main"
## Explanation
+Cache probing attacks have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites a user visits, allowing attackers to interact with the cache and extract private information from other origins.
+<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-https://bugzilla.mozilla.org/show_bug.cgi?id=1590107
-https://bugs.chromium.org/p/chromium/issues/detail?id=910708
+There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers however have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible to attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested `top-frame origin` and URL as keys for the cache. Triple Keyed has also been considered by browsers.
-<!--TODO(manuelvsousa): Add reference to cache probing attacks and maybe socket exhaustion-->
+[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still studying an implementation for a Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
+<!--TODO(manuelvsousa): Add socket exhaustion ?-->
+
## Relevant Projects
### Intelligent Tracking Prevention
-
-
-
-WebKit
-https://webkit.org/tracking-prevention/
-https://bugs.webkit.org/show_bug.cgi?id=110269
-
+[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features against malicious trackers, containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269).
{{< hint warning >}}
-A number of XS-Leaks resulted in browser features triggering changes in fundamental web platform features. An [XS-Leak abused ITP features](https://TODO) which could lead to private information leaks.
+Several XS-Leaks resulted in browser features triggering changes in fundamental web platform features. One of those XS-Leaks abused ITP features which could lead to private information leaks.
{{< /hint >}}
<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->
### First Party Isolation
-Mozilla
-
-https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
+First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) built by Mozilla which restricts access to cookies and persistent data (e.g cache) per domain.
## Considerations
+Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will might spread to other browser resources which help to mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).
+
+<!--TODO(manuelvsousa): Add socket exhaustion ?-->
## XS-Leaks Mitigation Overview
-| XS-Leak | Double Keyd Cache Mitigation | Full Mitigation |
+| XS-Leak | Partitioned Cache Mitigation | Full Mitigation |
|:-----------------------------------------------------------------:|:----------------------------:|:-------------------:
| [Frame Counting]({{< ref "../../attacks/frame-counting.md" >}}) | ❌ | ❌
| [Navigations]({{< ref "../../attacks/navigations.md" >}}) | ❌ | ❌
@@ -53,8 +51,8 @@ https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
### Table Caption
-- **Double Keyd Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the mechanism would exist
-- **Full Mitigation** - Fully mitigates an XS-Leak if the mechanism would exist
+- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the defense mechanism would exist
+- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)
From 3f5fb996e4990aa42430261652d2e030109b8a11 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Wed, 5 Aug 2020 11:59:14 +0100
Subject: [PATCH 03/40] Fix Partitioned Key Cache Draft.
---
.../docs/defenses/browser-intrinsic/double-keyd-cache.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
index 1708a62a9..83e6de15a 100644
--- a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
+++ b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
@@ -8,11 +8,11 @@ menu = "main"
## Explanation
-Cache probing attacks have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites a user visits, allowing attackers to interact with the cache and extract private information from other origins.
+Cache probing attacks have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and extract private information from other origins.
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers however have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible to attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested `top-frame origin` and URL as keys for the cache. Triple Keyed has also been considered by browsers.
+There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible to attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still studying an implementation for a Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
@@ -37,7 +37,7 @@ First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/
## Considerations
-Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will might spread to other browser resources which help to mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).
+Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might spread to other browser resources which help mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).
<!--TODO(manuelvsousa): Add socket exhaustion ?-->
From 534a24d99472a47f7da16691c4c8c0d62612d580 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Wed, 5 Aug 2020 12:21:08 +0100
Subject: [PATCH 04/40] Add improved draft for partitioned cache draft.
---
content/docs/defenses/browser-intrinsic/double-keyd-cache.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
index 83e6de15a..28a1e1e06 100644
--- a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
+++ b/content/docs/defenses/browser-intrinsic/double-keyd-cache.md
@@ -8,7 +8,7 @@ menu = "main"
## Explanation
-Cache probing attacks have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and extract private information from other origins.
+[Cache probing attacks](https://TODO) have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and extract private information from other origins.
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
@@ -33,7 +33,7 @@ Several XS-Leaks resulted in browser features triggering changes in fundamental
### First Party Isolation
-First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) built by Mozilla which restricts access to cookies and persistent data (e.g cache) per domain.
+First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) for Firefox which restricts access to cookies and persistent data (e.g cache) per domain.
## Considerations
From 8427bf28778b9206f547c50a366c892127160d9d Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 6 Aug 2020 10:32:03 +0100
Subject: [PATCH 05/40] Rename Double Key to Partitioned Cache.
---
.../{double-keyd-cache.md => partitioned-cache.md} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename content/docs/defenses/browser-intrinsic/{double-keyd-cache.md => partitioned-cache.md} (100%)
diff --git a/content/docs/defenses/browser-intrinsic/double-keyd-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
similarity index 100%
rename from content/docs/defenses/browser-intrinsic/double-keyd-cache.md
rename to content/docs/defenses/browser-intrinsic/partitioned-cache.md
From f0865ae7b17cdd38184adfb81995a3651b253fb1 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 6 Aug 2020 15:56:26 +0100
Subject: [PATCH 06/40] Add ITP partitioned cache keys.
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 28a1e1e06..cdeeba99e 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -23,8 +23,7 @@ There is not much applications can do stop these attacks, [apart for some workar
### Intelligent Tracking Prevention
-[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features against malicious trackers, containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269).
-
+[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features against malicious trackers, containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.
{{< hint warning >}}
Several XS-Leaks resulted in browser features triggering changes in fundamental web platform features. One of those XS-Leaks abused ITP features which could lead to private information leaks.
{{< /hint >}}
From 1c7367a78e588db6ef255e849bde1ad5f570196b Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 6 Aug 2020 23:44:19 +0100
Subject: [PATCH 07/40] Add initial drafs for CORB and CORP.
---
.../docs/defenses/browser-intrinsic/corb.md | 21 ++++++++++++++++++-
content/docs/defenses/opt-in/corp.md | 17 +++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 content/docs/defenses/opt-in/corp.md
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 6bfd372b4..cce8a785a 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -6,4 +6,23 @@ category = "defenses"
menu = "main"
+++
-TODO
\ No newline at end of file
+
+## Explanation
+
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism which prevents malicious origin from loading certain cross-origin resources. [^1]
+
+Chrome is the only browser with CORB deployed.
+
+Developers can extend this feature to other
+
+An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) which allow applications to **opt in to protection** against other resource requests that might not be covered by CORB itself.
+
+
+## Considerations
+
+{{< hint danger >}}
+CORB ended up introducing a [new set of XS-Leaks](https://TODO) as attackers are able to observe whether a request is blocked or allowed by CORB. This could lead info information leaks if CORB blocks certain requests dependent on user information.
+{{< /hint >}}
+
+[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
+<!-- [^2]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/site-isolation) -->
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
new file mode 100644
index 000000000..1078fc624
--- /dev/null
+++ b/content/docs/defenses/opt-in/corp.md
@@ -0,0 +1,17 @@
++++
+title = "Cross-Origin-Resource-Policy"
+description = ""
+date = "2020-07-21"
+category = "defenses"
+menu = "main"
++++
+
+
+## Explanation
+
+
+## Considerations
+
+
+[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
+<!-- [^2]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/site-isolation) -->
From 0c8a9b2509dab279cac2705ed9246a2f1ad44d9f Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Fri, 7 Aug 2020 12:30:49 +0100
Subject: [PATCH 08/40] Add more contents to CORB draft.
---
content/docs/defenses/browser-intrinsic/corb.md | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index cce8a785a..9b83cabc1 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,19 +9,21 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism which prevents malicious origin from loading certain cross-origin resources. [^1]
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header (and `nosniff`), but when this is not possible, it sniffs the contents of the resources to infer the type.
+
+An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) which allow applications to **opt in to protection** against other resource requests that might not be covered automatically by CORB itself.
Chrome is the only browser with CORB deployed.
-Developers can extend this feature to other
+## CORB and XS-Leaks
-An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) which allow applications to **opt in to protection** against other resource requests that might not be covered by CORB itself.
+Some XS-Leaks [timing attacks](https://TODO) and [size leaks](https://TODO) rely on loading `HTML` resources on `tags` that are not appropriate to those contents. Some attacks rely on this tags to . Alternatively, if an attacker tries to use the `video` or `audio` tag and its properties to infer the size of an HTML page, CORB should block.
## Considerations
{{< hint danger >}}
-CORB ended up introducing a [new set of XS-Leaks](https://TODO) as attackers are able to observe whether a request is blocked or allowed by CORB. This could lead info information leaks if CORB blocks certain requests dependent on user information.
+CORB introduced a [new set of XS-Leaks](https://TODO) as attackers are able to observe when a request is blocked or allowed by CORB. This could lead info information leaks if CORB blocks certain requests dependent on user information.
{{< /hint >}}
[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
From 0ca50f919fda1cbfabae31232e7ee7dead676297 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Fri, 7 Aug 2020 17:29:31 +0100
Subject: [PATCH 09/40] Add pre-final drafts for corb and corp.
---
content/docs/defenses/browser-intrinsic/corb.md | 12 ++++++------
content/docs/defenses/opt-in/corp.md | 3 +++
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 9b83cabc1..c4a314ce7 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,15 +9,15 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header (and `nosniff`), but when this is not possible, it sniffs the contents of the resources to infer the type.
-
-An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) which allow applications to **opt in to protection** against other resource requests that might not be covered automatically by CORB itself.
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of its process. CORB aims to prevent attackers from loading cross-origin contents into its own process, which might contain private data. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it senses a page is serving content under the wrong `Content-Type` (e.g `text/plain`) it looks to the start of the resource to apply with the correct classification, thus protecting the resource.
+{{< hint info >}}
Chrome is the only browser with CORB deployed.
+{{< /hint >}}
-## CORB and XS-Leaks
-
-Some XS-Leaks [timing attacks](https://TODO) and [size leaks](https://TODO) rely on loading `HTML` resources on `tags` that are not appropriate to those contents. Some attacks rely on this tags to . Alternatively, if an attacker tries to use the `video` or `audio` tag and its properties to infer the size of an HTML page, CORB should block.
+{{< hint info >}}
+An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}).
+{{< /hint >}}
## Considerations
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index 1078fc624..e7aa9ee28 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -9,6 +9,9 @@ menu = "main"
## Explanation
+Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt in to protection** against other resource requests that might not be covered automatically by CORB itself[^1]. Applications can define which origins are allowed to read its resources.
+
+If an application sets a certain resource CORP Header as `same-site`, an attacker, which is in a different origin is incapable of reading that resource.
## Considerations
From 8937d326deecbf3b73d2b9de0c49242734d852c3 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Fri, 7 Aug 2020 17:50:33 +0100
Subject: [PATCH 10/40] Add final drafts for corb and corp.
---
content/docs/defenses/browser-intrinsic/corb.md | 7 +++----
content/docs/defenses/opt-in/corp.md | 4 ++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index c4a314ce7..42d26b804 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,7 +9,7 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of its process. CORB aims to prevent attackers from loading cross-origin contents into its own process, which might contain private data. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it senses a page is serving content under the wrong `Content-Type` (e.g `text/plain`) it looks to the start of the resource to apply with the correct classification, thus protecting the resource.
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of its own process. CORB aims to prevent attackers from loading cross-origin contents into its own process, which might contain private data. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it senses a page is serving content under the wrong `Content-Type` (e.g `text/plain`) it looks to the start of the resource to apply with the correct classification, thus protecting the resource.
{{< hint info >}}
Chrome is the only browser with CORB deployed.
@@ -23,8 +23,7 @@ An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{<
## Considerations
{{< hint danger >}}
-CORB introduced a [new set of XS-Leaks](https://TODO) as attackers are able to observe when a request is blocked or allowed by CORB. This could lead info information leaks if CORB blocks certain requests dependent on user information.
+CORB introduced a [new set of XS-Leaks](https://TODO) as attackers are able to observe when a request is blocked or allowed by CORB. This could lead to information leaks if CORB blocks certain requests dependent on user information.
{{< /hint >}}
-[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
-<!-- [^2]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/site-isolation) -->
+[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
\ No newline at end of file
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index e7aa9ee28..3b1fa5957 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -9,9 +9,9 @@ menu = "main"
## Explanation
-Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt in to protection** against other resource requests that might not be covered automatically by CORB itself[^1]. Applications can define which origins are allowed to read its resources.
+Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt in to protection** in resources that might not be covered automatically by CORB[^1]. Applications can define which origins are allowed to read their resources.
-If an application sets a certain resource CORP Header as `same-site`, an attacker, which is in a different origin is incapable of reading that resource.
+If an application sets a certain resource CORP Header as `same-site`, an attacker is incapable of reading that resource because it's in a different origin.
## Considerations
From 5fef16f6eaf456e6708a5b5a18f70c287a434c85 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 10 Aug 2020 13:10:23 +0100
Subject: [PATCH 11/40] Remove title in CORP.
---
content/docs/defenses/opt-in/corp.md | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index 3b1fa5957..0dd468f4b 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -13,8 +13,4 @@ Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Or
If an application sets a certain resource CORP Header as `same-site`, an attacker is incapable of reading that resource because it's in a different origin.
-## Considerations
-
-
-[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
-<!-- [^2]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/site-isolation) -->
+[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
\ No newline at end of file
From 30db5e3d87b6146821b30bc3ecf7a609bc79da6d Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:16:59 +0100
Subject: [PATCH 12/40] Update content/docs/defenses/browser-intrinsic/corb.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/corb.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 42d26b804..a9d161da5 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -23,7 +23,7 @@ An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{<
## Considerations
{{< hint danger >}}
-CORB introduced a [new set of XS-Leaks](https://TODO) as attackers are able to observe when a request is blocked or allowed by CORB. This could lead to information leaks if CORB blocks certain requests dependent on user information.
+CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe when a request is blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after.
{{< /hint >}}
-[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
\ No newline at end of file
+[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
From 4928c73342e817c2a89659aef377ee44aacfa341 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:17:14 +0100
Subject: [PATCH 13/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index cdeeba99e..3d73088e9 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -8,7 +8,7 @@ menu = "main"
## Explanation
-[Cache probing attacks](https://TODO) have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and extract private information from other origins.
+[Cache probing attacks](https://TODO) have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and infer private information from other origins.
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
@@ -61,4 +61,3 @@ Partitioned HTTP caches are a promising security feature that will eventually la
-
From 2497d802644b02ff37c3e8ae7b8f92cf2bf73742 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:18:45 +0100
Subject: [PATCH 14/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 3d73088e9..faee23d6b 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -23,7 +23,7 @@ There is not much applications can do stop these attacks, [apart for some workar
### Intelligent Tracking Prevention
-[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features against malicious trackers, containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.
+[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.
{{< hint warning >}}
Several XS-Leaks resulted in browser features triggering changes in fundamental web platform features. One of those XS-Leaks abused ITP features which could lead to private information leaks.
{{< /hint >}}
@@ -60,4 +60,3 @@ Partitioned HTTP caches are a promising security feature that will eventually la
-
From cce14c9a12cbd4e12e88b588b46ca7976d8c48fd Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:24:09 +0100
Subject: [PATCH 15/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index faee23d6b..f2abc51c2 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -12,7 +12,7 @@ menu = "main"
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible to attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
+There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still studying an implementation for a Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
@@ -59,4 +59,3 @@ Partitioned HTTP caches are a promising security feature that will eventually la
[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
-
From 00c6170daa814d03dd0609e1c92274600c8b1731 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:24:18 +0100
Subject: [PATCH 16/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index f2abc51c2..77a85dd3f 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -36,7 +36,7 @@ First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/
## Considerations
-Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might spread to other browser resources which help mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).
+Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might be extended to other browser resources which help mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).
<!--TODO(manuelvsousa): Add socket exhaustion ?-->
@@ -58,4 +58,3 @@ Partitioned HTTP caches are a promising security feature that will eventually la
[^2]: Explainer - Partition the HTTP Cache, [link](https://github.com/shivanigithub/http-cache-partitioning)
[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
-
From 4ac4e273c9f2ad09102f3318fb3949a24fe5562b Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:24:45 +0100
Subject: [PATCH 17/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 77a85dd3f..f98767cac 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -48,7 +48,7 @@ Partitioned HTTP caches are a promising security feature that will eventually la
| [Navigations]({{< ref "../../attacks/navigations.md" >}}) | ❌ | ❌
| [ID Leaks]({{< ref "../../attacks/id-attribute.md" >}}) | ❌ | ❌
-### Table Caption
+### Table Legend
- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the defense mechanism would exist
- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
@@ -57,4 +57,3 @@ Partitioned HTTP caches are a promising security feature that will eventually la
[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)
[^2]: Explainer - Partition the HTTP Cache, [link](https://github.com/shivanigithub/http-cache-partitioning)
[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
-
From b9069ad19db0925142ac48b1d0b4a78af960c685 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:25:02 +0100
Subject: [PATCH 18/40] Update content/docs/defenses/opt-in/corp.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/opt-in/corp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index 0dd468f4b..266432a23 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -9,8 +9,8 @@ menu = "main"
## Explanation
-Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt in to protection** in resources that might not be covered automatically by CORB[^1]. Applications can define which origins are allowed to read their resources.
+Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt into the protection** for resources that might not be covered automatically by CORB[^1]. Applications can define which origins are allowed to read their resources.
If an application sets a certain resource CORP Header as `same-site`, an attacker is incapable of reading that resource because it's in a different origin.
-[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
\ No newline at end of file
+[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
From 07eaadcc43023dab5c77fcb37c84b015cd994501 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 17 Aug 2020 14:25:37 +0100
Subject: [PATCH 19/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index f98767cac..fe5496d01 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -14,7 +14,7 @@ menu = "main"
There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
-[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still studying an implementation for a Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
+[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still discussing an implementation for a Multi-Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
<!--TODO(manuelvsousa): Add socket exhaustion ?-->
From ddbe7edfe7fba3f494110ed6ffc15566a4300917 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 18 Aug 2020 13:10:31 +0100
Subject: [PATCH 20/40] Apply Rob suggestion to CORB.
---
content/docs/defenses/browser-intrinsic/corb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index a9d161da5..850d5b31d 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,7 +9,7 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in a situation that does not make sense[^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of its own process. CORB aims to prevent attackers from loading cross-origin contents into its own process, which might contain private data. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it senses a page is serving content under the wrong `Content-Type` (e.g `text/plain`) it looks to the start of the resource to apply with the correct classification, thus protecting the resource.
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in impossible scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it detects a page does not serve a `nosniff` header it detects if the resource is worth protecting by looking at the beginning of the response body.
{{< hint info >}}
Chrome is the only browser with CORB deployed.
From a7de53288379b5f8e3ad9f7a8b1d5bf0a5d7b9bf Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 18 Aug 2020 15:40:10 +0100
Subject: [PATCH 21/40] Add Rob suggestion to Partitioned Cached: Vary Header
with Fetch-Metadata.
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index fe5496d01..678860070 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -12,7 +12,7 @@ menu = "main"
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-There is not much applications can do stop these attacks, [apart for some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
+Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to restrict the cache usage to a certain group of origins or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still discussing an implementation for a Multi-Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
From b7408142bbf2536558c697e3f6d9f9f925366c8a Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 18 Aug 2020 19:43:38 +0100
Subject: [PATCH 22/40] Apply Rob's suggestion to ITP warning.
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 678860070..f283ba793 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -24,8 +24,9 @@ Considering Opt-in solutions, applications can use the [`Vary` Header combined w
### Intelligent Tracking Prevention
[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.
+
{{< hint warning >}}
-Several XS-Leaks resulted in browser features triggering changes in fundamental web platform features. One of those XS-Leaks abused ITP features which could lead to private information leaks.
+Researchers found out attackers [could abuse some ITP features](https://TODO) to infer to private user data.
{{< /hint >}}
<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->
From f3d2b3b8e7dbe7d10bf24e3560ca189a641cbc85 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 25 Aug 2020 20:22:26 +0100
Subject: [PATCH 23/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index f283ba793..14df0ca2a 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -26,7 +26,7 @@ Considering Opt-in solutions, applications can use the [`Vary` Header combined w
[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.
{{< hint warning >}}
-Researchers found out attackers [could abuse some ITP features](https://TODO) to infer to private user data.
+Researchers found out attackers [could abuse some ITP features](https://TODO) to infer private user data.
{{< /hint >}}
<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->
From 22cf2cc7a1a94bebd862aeaf80b8d2511dfc93ff Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 12:54:08 +0100
Subject: [PATCH 24/40] Change CORB article with new wording and insights.
---
content/docs/defenses/opt-in/corp.md | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index 266432a23..e8d4ec426 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -6,11 +6,20 @@ category = "defenses"
menu = "main"
+++
+Cross-Origin-Resource-Policy (CORP) response header enforces [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB) as it provides more protection by covering more resources [^1]. Both protect against speculative side-channel attacks (Spectre) by preventing attackers from loading certain cross-origin resources in elements like `script`, `img`, `video`, etc. Unlike CORB, this protection is enforced in the browser if an application **opts into the protection**. Applications can define which groups of origins (same-site, same-origin, cross-site) are allowed to read their resources.
-## Explanation
+If an application sets a certain resource CORP Header as `same-site` or `same-origin`, an attacker origin is incapable of reading that resource because is not part of the CORP group of origins.
-Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt into the protection** for resources that might not be covered automatically by CORB[^1]. Applications can define which origins are allowed to read their resources.
+{{< hint info >}}
+Firefox is the only browser with CORP deployed.
+{{< /hint >}}
-If an application sets a certain resource CORP Header as `same-site`, an attacker is incapable of reading that resource because it's in a different origin.
+{{< hint info >}}
+[Cross-Origin Read Blocking (CORB)]({{< ref "../browser-intrinsic/corb.md" >}}), a similar protection, is an no-opt protection based on heuristics to prevent attackers from loading certain cross-origin resources in impractical scenarios.
+{{< /hint >}}
-[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
+{{< hint warning >}}
+This mechanism introduced [a new XS-Leak](https://TODO), which allows attackers detect wether CORP was enforced in a certain request.
+{{< /hint >}}
+
+[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))
\ No newline at end of file
From 82d8aa67f31bdc762ce260aa36ee01e3cf7ffcac Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 12:58:12 +0100
Subject: [PATCH 25/40] Remove old TODO.
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 14df0ca2a..6f6617a1f 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -16,9 +16,6 @@ Considering Opt-in solutions, applications can use the [`Vary` Header combined w
[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still discussing an implementation for a Multi-Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
-
-<!--TODO(manuelvsousa): Add socket exhaustion ?-->
-
## Relevant Projects
### Intelligent Tracking Prevention
From e59ac50f08aa21955b760756a2bc860d4f734668 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 13:01:43 +0100
Subject: [PATCH 26/40] Add new visual to Partitioned cache article.
---
.../docs/defenses/browser-intrinsic/partitioned-cache.md | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 6f6617a1f..851af4444 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -14,7 +14,14 @@ menu = "main"
Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to restrict the cache usage to a certain group of origins or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
-[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still discussing an implementation for a Multi-Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
+{{< hint info >}}
+Chrome [^1] and Firefox [^2] are still discussing an implementation for a Multi-Keyed Cache while Safari [^3] already runs a version of it since 2013.
+
+[^1]: Split Disk Cache Meta Bug (Blink), [link](https://bugs.chromium.org/p/chromium/issues/detail?id=910708)
+[^2]: Top-level site partitioning (Gecko), [link](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107)
+[^3]: Optionally partition cache to prevent using cache for tracking (Webkit), [link](https://bugs.webkit.org/show_bug.cgi?id=110269)
+{{< /hint >}}
+
## Relevant Projects
From b20540ddb86f146bc77a9aa1bd332febd4f5e94e Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 13:19:41 +0100
Subject: [PATCH 27/40] Fix impossible wording in corp/corp
---
content/docs/defenses/browser-intrinsic/corb.md | 8 ++++++--
content/docs/defenses/opt-in/corp.md | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 850d5b31d..7857a19aa 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,14 +9,18 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in impossible scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it detects a page does not serve a `nosniff` header it detects if the resource is worth protecting by looking at the beginning of the response body.
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in unlikely scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker-controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it detects a page does not serve a `nosniff` header it detects if the resource is worth protecting by looking at the beginning of the response body.
{{< hint info >}}
Chrome is the only browser with CORB deployed.
{{< /hint >}}
{{< hint info >}}
-An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}).
+[Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) is a protection with enforces and extends CORB automatically offers.
+{{< /hint >}}
+
+{{< hint warning >}}
+Firefox is the only browser with CORP deployed.
{{< /hint >}}
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index e8d4ec426..b0da1ca8e 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -15,7 +15,7 @@ Firefox is the only browser with CORP deployed.
{{< /hint >}}
{{< hint info >}}
-[Cross-Origin Read Blocking (CORB)]({{< ref "../browser-intrinsic/corb.md" >}}), a similar protection, is an no-opt protection based on heuristics to prevent attackers from loading certain cross-origin resources in impractical scenarios.
+[Cross-Origin Read Blocking (CORB)]({{< ref "../browser-intrinsic/corb.md" >}}), a similar protection, is an no-opt protection based on heuristics to prevent attackers from loading certain cross-origin resources in unlikely scenarios.
{{< /hint >}}
{{< hint warning >}}
From 2f5e09e0742e456488bdae89ff55f6837ec3e036 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 13:21:35 +0100
Subject: [PATCH 28/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 851af4444..d5bc2ec26 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -12,7 +12,7 @@ menu = "main"
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to restrict the cache usage to a certain group of origins or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
+Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to prevent cross-origin fetches to be affected by the site cache or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with downsides. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with finer grained keys such as the tuple <`top-frame origin`, URL> or even triples of values.
{{< hint info >}}
Chrome [^1] and Firefox [^2] are still discussing an implementation for a Multi-Keyed Cache while Safari [^3] already runs a version of it since 2013.
From 3b4c9afb647e5eaa3a2e544b05e7b9071fbd28fa Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 13:22:48 +0100
Subject: [PATCH 29/40] Fix Word in partitioned caches article.
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index d5bc2ec26..df3caf68b 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -12,7 +12,7 @@ menu = "main"
<!--TODO(manuelvsousa): Add reference to cache probing attacks-->
-Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to prevent cross-origin fetches to be affected by the site cache or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with downsides. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with finer grained keys such as the tuple <`top-frame origin`, URL> or even triples of values.
+Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to prevent cross-origin fetches to be affected by the site cache or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with downsides. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with finer-grained keys such as the tuple <`top-frame origin`, URL> or even triples of values.
{{< hint info >}}
Chrome [^1] and Firefox [^2] are still discussing an implementation for a Multi-Keyed Cache while Safari [^3] already runs a version of it since 2013.
From 7b47c7e030e8667ae134cf7b16242a03fc26a56c Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 16:34:49 +0100
Subject: [PATCH 30/40] Add warning about impact regarding CORB protection
---
content/docs/defenses/browser-intrinsic/corb.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 7857a19aa..9bd5cc72c 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -26,8 +26,8 @@ Firefox is the only browser with CORP deployed.
## Considerations
-{{< hint danger >}}
-CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe when a request is blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after.
+{{< hint warning >}}
+CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
{{< /hint >}}
[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
From 87d18be85459e6e59b28197c29316ccdcdf6e70a Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Thu, 3 Sep 2020 17:04:07 +0100
Subject: [PATCH 31/40] Change CORB wording.
---
content/docs/defenses/browser-intrinsic/corb.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 9bd5cc72c..ec86a8c88 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -9,7 +9,9 @@ menu = "main"
## Explanation
-Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in unlikely scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker-controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it detects a page does not serve a `nosniff` header it detects if the resource is worth protecting by looking at the beginning of the response body.
+Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in unlikely scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker-controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening.
+
+To classify resource types CORB uses the `Content-Type` header if `nosniff` is set. In case the page does not serve a `nosniff` header CORB will, based on heuristics, check if the resource is worth protecting by looking at the beginning of the response body.
{{< hint info >}}
Chrome is the only browser with CORB deployed.
From d4f42cd5f8d132653b466415f3cc7d24abff9fd4 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 7 Sep 2020 21:47:33 +0100
Subject: [PATCH 32/40] Remove firefox is the only with corp deployed message.
---
content/docs/defenses/opt-in/corp.md | 4 ----
1 file changed, 4 deletions(-)
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index b0da1ca8e..da5f01ccd 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -10,10 +10,6 @@ Cross-Origin-Resource-Policy (CORP) response header enforces [Cross-Origin Read
If an application sets a certain resource CORP Header as `same-site` or `same-origin`, an attacker origin is incapable of reading that resource because is not part of the CORP group of origins.
-{{< hint info >}}
-Firefox is the only browser with CORP deployed.
-{{< /hint >}}
-
{{< hint info >}}
[Cross-Origin Read Blocking (CORB)]({{< ref "../browser-intrinsic/corb.md" >}}), a similar protection, is an no-opt protection based on heuristics to prevent attackers from loading certain cross-origin resources in unlikely scenarios.
{{< /hint >}}
From 63ed7bfc22df286497436df7ec7326efa72d6f73 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 7 Sep 2020 21:59:40 +0100
Subject: [PATCH 33/40] Drop mention to CORP in CORB article.
---
content/docs/defenses/browser-intrinsic/corb.md | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index ec86a8c88..61db53a2e 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -17,15 +17,6 @@ To classify resource types CORB uses the `Content-Type` header if `nosniff` is s
Chrome is the only browser with CORB deployed.
{{< /hint >}}
-{{< hint info >}}
-[Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) is a protection with enforces and extends CORB automatically offers.
-{{< /hint >}}
-
-{{< hint warning >}}
-Firefox is the only browser with CORP deployed.
-{{< /hint >}}
-
-
## Considerations
{{< hint warning >}}
From fb2eab2bee218cfb10121801706d36f59bec244d Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 7 Sep 2020 22:06:56 +0100
Subject: [PATCH 34/40] Add CORP hint in CORB article.
---
content/docs/defenses/browser-intrinsic/corb.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 61db53a2e..42d9257e2 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -17,6 +17,11 @@ To classify resource types CORB uses the `Content-Type` header if `nosniff` is s
Chrome is the only browser with CORB deployed.
{{< /hint >}}
+{{< hint info >}}
+[Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) is an opt-in protection which enforces and extends CORB.
+{{< /hint >}}
+
+
## Considerations
{{< hint warning >}}
From bcdce5b2a4eb8ce7e0912a73339daaaaa547e187 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Mon, 7 Sep 2020 23:02:51 +0100
Subject: [PATCH 35/40] Remaster sentence in CORP article.
---
content/docs/defenses/opt-in/corp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/opt-in/corp.md b/content/docs/defenses/opt-in/corp.md
index da5f01ccd..1cd677fd7 100644
--- a/content/docs/defenses/opt-in/corp.md
+++ b/content/docs/defenses/opt-in/corp.md
@@ -6,7 +6,7 @@ category = "defenses"
menu = "main"
+++
-Cross-Origin-Resource-Policy (CORP) response header enforces [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB) as it provides more protection by covering more resources [^1]. Both protect against speculative side-channel attacks (Spectre) by preventing attackers from loading certain cross-origin resources in elements like `script`, `img`, `video`, etc. Unlike CORB, this protection is enforced in the browser if an application **opts into the protection**. Applications can define which groups of origins (same-site, same-origin, cross-site) are allowed to read their resources.
+Cross-Origin-Resource-Policy (CORP) response header enforces [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB) as it provides more protection by covering more resources [^1]. Both protect against speculative side-channel attacks (Spectre) by preventing attackers from loading certain cross-origin resources in elements like `script`, `img`, `video`, etc. Unlike CORB, this protection is enforced in the browser only if an application **opts into the protection**. Applications can define which groups of origins (same-site, same-origin, cross-site) are allowed to read their resources.
If an application sets a certain resource CORP Header as `same-site` or `same-origin`, an attacker origin is incapable of reading that resource because is not part of the CORP group of origins.
From 5c18cc7910643de36437348e7dcd913c3f356fe4 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 8 Sep 2020 00:12:07 +0100
Subject: [PATCH 36/40] Change CORB reference from presentation page to
explainer
---
content/docs/defenses/browser-intrinsic/corb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 42d9257e2..023b932e3 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -28,4 +28,4 @@ Chrome is the only browser with CORB deployed.
CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
{{< /hint >}}
-[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
+[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)
From 306d36e13f937e9b6afebeb9ee2f787f36a69ddc Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Tue, 8 Sep 2020 00:21:25 +0100
Subject: [PATCH 37/40] Fix Plural in a CORB sentence.
---
content/docs/defenses/browser-intrinsic/corb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 023b932e3..7f8ca68f8 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -25,7 +25,7 @@ Chrome is the only browser with CORB deployed.
## Considerations
{{< hint warning >}}
-CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
+CORB introduced a [new XS-Leak](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
{{< /hint >}}
[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)
From b7dbc345ad40a6f6b77eb835a3a2bc88bc6d47e6 Mon Sep 17 00:00:00 2001
From: terjanq <terjanq@users.noreply.github.com>
Date: Tue, 8 Sep 2020 12:13:27 +0200
Subject: [PATCH 38/40] Update corb.md
Fixed singular
---
content/docs/defenses/browser-intrinsic/corb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/corb.md b/content/docs/defenses/browser-intrinsic/corb.md
index 7f8ca68f8..07771f1a3 100644
--- a/content/docs/defenses/browser-intrinsic/corb.md
+++ b/content/docs/defenses/browser-intrinsic/corb.md
@@ -25,7 +25,7 @@ Chrome is the only browser with CORB deployed.
## Considerations
{{< hint warning >}}
-CORB introduced a [new XS-Leak](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
+CORB introduced a [new XS-Leak](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak has a lower impact than a Spectre exploitation of the CORB-protected resources.
{{< /hint >}}
[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)
From 733615e37c8115539350bee357ddd0dc609c3db0 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Wed, 9 Sep 2020 11:55:04 +0100
Subject: [PATCH 39/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index df3caf68b..08ba8aa50 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -55,7 +55,7 @@ Partitioned HTTP caches are a promising security feature that will eventually la
### Table Legend
-- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the defense mechanism would exist
+- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated
- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
From aeb7a1024d26ca43abc4f7d9523a44588d20fe74 Mon Sep 17 00:00:00 2001
From: Manuel Sousa <manuelsousamvs@gmail.com>
Date: Wed, 9 Sep 2020 11:55:23 +0100
Subject: [PATCH 40/40] Update
content/docs/defenses/browser-intrinsic/partitioned-cache.md
Co-authored-by: Roberto Clapis <empijei@users.noreply.github.com>
---
content/docs/defenses/browser-intrinsic/partitioned-cache.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/docs/defenses/browser-intrinsic/partitioned-cache.md b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
index 08ba8aa50..c3346b33e 100644
--- a/content/docs/defenses/browser-intrinsic/partitioned-cache.md
+++ b/content/docs/defenses/browser-intrinsic/partitioned-cache.md
@@ -56,7 +56,7 @@ Partitioned HTTP caches are a promising security feature that will eventually la
### Table Legend
- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated
-- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
+- **Full Mitigation** - Fully mitigates an XS-Leak
[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)