![]() ![]() They have either a X-Content-Type-Options: nosniff HTTP response header, or a quick content analysis (“ sniffing”) confirms that the type is correct.They have an HTML, XML, JSON, or text/plain MIME type, and.The cross-site document blocking policy prevents a process from receiving “documents” from other origins if: Resources include things like images, JavaScript, CSS and fonts. A website is able to receive documents from its own domain or from other domains with permissive CORS headers. Here, documents are HTML, XML, JSON, and text files. To help prevent sensitive information from leaking this information, Site Isolation includes a “ cross-site document blocking” feature that limits which network responses are delivered to the renderer process.Ī website can request two types of data from a server: “documents” and “resources”. These two terms refer to the same concept.Įven when all cross-site pages are put into separate processes, pages can still legitimately request some cross-site subresources, such as images and JavaScript. The Chrome team has been working on a feature to achieve this called “ Site Isolation”:Īfter the publication of this document, Cross-Site Document Blocking was renamed to Cross-Origin Read Blocking. The impact of successfully exploiting Spectre can be greatly reduced by preventing sensitive data from ever sharing a process with attacker-controlled code. There are multiple efforts the Chrome and V8 engineering team is deploying to mitigate this threat. If a website contains user-specific data, there is a chance that another site could use these new vulnerabilities to read that user data. This can happen when one has opened the other using window.open, or, or iframes. Sometimes, multiple documents from different sites can end up sharing a process in Chrome. ![]() If you are interested in how these vulnerabilities can be exploited, I recommend taking a look at the blog post by my colleagues from the Google Cloud team.īoth Meltdown and Spectre potentially allow a process to read memory that it is not supposed to be able to. There have been a wide variety of explanations of these vulnerabilities, so I am not going to add yet another one. If you are wondering why these steps help, read on! # The risk ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |