May 17 F2F meeting

Brief summary of COWL

See Editor draft

Framework:

• Labels
• Privileges
• Labeled contexts/data (objects, requests, responses, etc.)

Goals:

• Privilege separation
• Least privilege
• Confinement

Changes to spec since last meeting

• Labels are now composed of principals, which are now one of:

  1. "Traditional origins" (e.g., https://mozilla.org:443)
  2. App-specific principals (e.g., app:user or app:maps)
  3. Unique/fresh principals (unique:<UUID>)

• Header label values similar to JS API

  E.g.,

  Sec-COWL: ctx-confidentiality 'none';
            ctx-integrity 'none';
            ctx-privilege https://university.edu OR app:user1
  

• Top-level pages cannot get tainted: can only read labeled data that the context subsumes

• Integration with WebSockets

  • Don't allow creating websockets that the context can't write to
  • Close sockets once context gets tainted if can no longer write to (or read from) end-server

• More flexible APIs

  • Set integrity labels in JS APIs/headers to sensible defaults when omitted

To discuss F2F (see GitHub issues)

• New editor: Niklas Andréasson (Masters student at Chalmers, working with strong information flow team - Alejandro Russo)
• Same-origin edge case (IPC vs. shared DOM)
• Integration with ServiceWorkers
• Alternative design point (we disallow certain APIs in confined iframes)
• Leaks via iframe resizing

Status of FF implementation

Complete:

• Labels
• Privileges
• Labeled contexts + basic confinement enforcement
• Labeled Objects
• Sec-COWL HTTP response header
• Receive XHR labeled-json support
• Confinement checks in prefetching code to avoid leaks via TCP preconnet or HTTP request

TODO

• Workers
• Sec-COWL HTTP request header
• Send XHR labeled-json support
• WebSocket killing
• ServiceWorkers