Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Anonymous iframe origin trial: Easily embed iframes in COEP environments

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Anonymous iframe origin trial: Easily embed iframes in COEP environments


๐Ÿ’ก Newskategorie: Programmierung
๐Ÿ”— Quelle: developer.chrome.com

Why we need COEP

Some web APIs increase the risk of side-channel attacks such as Spectre. To mitigate that risk, browsers offer an opt-in-based isolated environment called cross-origin isolation, which, among other things, requires deploying COEP. This allows websites to use privileged features including SharedArrayBuffer, performance.measureUserAgentSpecificMemory(), and high-precision timers with better resolution.

To enable cross-origin isolation, websites must send the following two HTTP headers:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

COEP:credentialless can also be used as an alternative to require-corp.

Challenges with enabling COEP

While cross-origin isolation brings webpages better security and the ability to enable powerful features, deploying COEP can be difficult. One of the biggest challenges is that all cross-origin iframes must also deploy COEP and CORP. Iframes without those headers will not be loaded by the browser.

The iframes are usually served by a third party for whom it may not be easy to deploy COEP.

Anonymous iframe to the rescue

That's where anonymous iframe comes in. By adding the anonymous attribute to the <iframe> element, the iframe is loaded from a different, ephemeral storage partition and it isn't subject to COEP restrictions anymore.

Example:

<iframe anonymous src="https://example.com">

Iframe is created in a new ephemeral context and doesn't have access to any of the cookies associated with the top level website. It starts from an empty cookie jar. Likewise, storage APIs such as LocalStorage, CacheStorage, IndexedDB, and so on, are loading and storing data in the new ephemeral partition. The partition is scoped to the current top-level document and origin of the iframe. Storage will be cleared once the top-level document is unloaded.

Anonymous iframes are not subject to COEP embedding rules. This is still secure, because they are loaded from a new empty context everytime. They will be loaded without their data being personalized. They contain only public data, which is not valuable to an attacker.

Demo

You can check out an anonymous iframe at: https://anonymous-iframe.glitch.me/

Register for an origin trial

To ensure that Anonymous iframes are helping developers adopt cross origin isolation, we are making them available in Chrome from version 106 to 108 as an origin trial.

Register for the origin trial to enable your website to use Anonymous iframes:

  1. Request a token for your origin.
  2. Use the token in one of the following ways:
    • In your HTML:
      <meta http-equiv="Origin-Trial" content="TOKEN_GOES_HERE">
    • In your Javascript:
        const meta = document.createElement('meta');
      meta.httpEquiv = 'Origin-Trial';
      meta.content = 'TOKEN_GOES_HERE';
      document.head.append(meta);
    • In the HTTP headers:
      Origin-Trial: TOKEN_GOES_HERE
  3. Add an anonymous iframe to your page:
    <iframe anonymous src="https://example.com">

If you have any feedback on this feature, file an issue in the GitHub repository.

Third party origin trial

The origin trial is also available to third party scripts. It means it can be enabled by scripts embedded on the page.

Leran more about how to register for a third-party origin trial.

FAQ

Will this feature be adopted by other browsers?

Are iframes nested inside <iframe anonymous> anonymous?

Yes. It is inherited. Once an iframe is anonymous, that applies to all iframes in the whole subtree even without an anonymous attribute.

Are pop-ups created from <iframe anonymous> anonymous too?

Pop-ups are opened as if noopener was set. They are created from a new regular top-level context and are not anonymous. They can't communicate with the anonymous iframe.

Resources

...



๐Ÿ“Œ Anonymous iframe origin trial: Easily embed iframes in COEP environments


๐Ÿ“ˆ 151.04 Punkte

๐Ÿ“Œ Iframe credentialless: Easily embed iframes in COEP environments


๐Ÿ“ˆ 116.01 Punkte

๐Ÿ“Œ Low CVE-2020-12696: Iframe project Iframe


๐Ÿ“ˆ 33.28 Punkte

๐Ÿ“Œ Prevent Info leaks and enable powerful features: COOP and COEP


๐Ÿ“ˆ 33.15 Punkte

๐Ÿ“Œ MAX Free Trial 2024: Deals, 30-Days Free Trial Code and Offers


๐Ÿ“ˆ 26.73 Punkte

๐Ÿ“Œ [webapps] - Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Apple iTunes up to 12.8 on Windows IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Apple Safari up to 11.1.2 IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Apple watchOS up to 4.3.2 IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Apple iOS up to 11.4.1 IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Traefik 2.4.3 IFRAME origin validation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Mozilla Firefox bis 54 IFRAME Same-Origin Policy erweiterte Rechte


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Mozilla Firefox up to 54 IFRAME Same-Origin Policy privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Samsung Internet Browser 6.2.01.12 IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Apple iCloud up to 7.6 on Windows IFRAME Cross-Origin privilege escalation


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Samsung Internet Browser 6.2.01.12 IFRAME Cross-Origin erweiterte Rechte


๐Ÿ“ˆ 26.55 Punkte

๐Ÿ“Œ Mastering Python Development Environments: A Comprehensive Guide to Virtual Environments


๐Ÿ“ˆ 24.75 Punkte

๐Ÿ“Œ 132 Google Play Apps Booted For Malicious IFrames


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ http://www.camarapocoes.ba.gov.br/novo/paginas-iframes/noticias.php


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Chrome 58: IndexedDB 2.0, display: fullscreen and New Options for Sandboxed iFrames


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Google Chrome to block automatic downloads initiated from ad slot iframes


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Apps Containing Malicious IFrames Found on Google Play


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Tech Support Scammers Freeze Browsers Using Iframes


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ iframes โ€“ der heilige Gral bei verteilten Webanwendungen


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Bitwarden flaw can let hackers steal passwords using iframes


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ How To Handle iFrames In Cypress


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ A Quick Guide to Iframes, Meta Tags, & HTML Best Practices


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Don't sleep on native lazy loading iframes - now available in a browser near you


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Is it safe for reddit to be embedding links as iframes on old.reddit.com?


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ PayPal Builds 'Zoid' JavaScript Library To 'Make IFrames Cool Again'


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Firefox, Wordpress Move to Support Lazy Loading of Images and iFrames


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Kaspersky: Stored credentials instantly autofilled within sandboxed iframes


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Automatically lazy-loading offscreen images & iframes for Lite mode users


๐Ÿ“ˆ 24.34 Punkte

๐Ÿ“Œ Agoric: Stored XSS in agoric-sdk - malicious iframes, malicious svg


๐Ÿ“ˆ 24.34 Punkte











matomo