Skip to content

Instantly share code, notes, and snippets.

@dherman

dherman/origin-threats.md

Last active January 20, 2017 16:54
Show Gist options
  • Save dherman/f41fd8c59f3664510c7b523a30430daa to your computer and use it in GitHub Desktop.
Save dherman/f41fd8c59f3664510c7b523a30430daa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
origin-threats.md

SOP Threat Model

  • evil.com:<script> ----πŸͺ----> facebook.com/🀐.csv
    • fix: opaque response
  • evil.com:<script> ----πŸ”Ÿ----> go/🀐.csv
    • fix: opaque response

CORS Threat Model

  • evil.com:XHR:X-Data --πŸͺ--> facebook.com/🀐.json
    • fix: drop response (unless CORS headers opt in)
  • evil.com:XHR:X-Patriot --πŸͺ-> us.mil/πŸš€
    • fix: preflight
  • evil.com:@font-face ---------> cdn.com/πŸ’°.woff
    • fix: drop response (unless CORS headers opt in)

App Threat Model

  • evil.com:<a> -------πŸͺ------> bank.com/πŸš€
    • fix: no side effects through GET
  • evil.com:<form> -----πŸͺ-----> bank.com/πŸš€
    • fix: session token

Legend

  • πŸͺ - cookie (authentication)
  • πŸ”Ÿ - intranet IP address
  • 🀐 - secret data
  • πŸš€ - side effect
  • πŸ’° - copyrighted asset
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment