Strict Isolation Policy
November 30, 2020
Strict Isolation Policy is intended to protect against all cross-site interactions (including navigations to the application through hyperlinks). This is a very strict policy that has the potential to prevent applications from functioning properly.
tip
Instead of rejecting all cross-site interactions, the user could be prompted to confirm the action, e.g. Confirm that you visited this page from a trusted origin, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application.
However, this would only work for navigational requests, since other resources are loaded in the background.
Implementation with Fetch Metadata #
The below snippet showcases an example implementation of Strict Isolation Policy by an application:
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
def allow_request(req):
# Allow requests from browsers which don't send Fetch Metadata
if not req['headers']['sec-fetch-site']:
return True
# Block any cross-site request
if req['headers']['sec-fetch-site'] == 'cross-site':
return False
# Allow all other requests
return True
Implementation with SameSite cookies #
If a server sends a cookie with the SameSite=strict
flag, any returned request that doesn’t contain that cookie can be rejected, as showcased in this snippet:
# Reject cross-origin requests to protect from CSRF, XSSI, and other bugs
def allow_request(req):
if req['cookies']['strict-cookie'] == 'true':
return True
# Block requests without a strict cookie
return False
Implementation with Referer #
It is also possible to reject requests from untrusted origins with the Referer
header:
# Reject requests that came from untrusted referrers
def allow_request(req):
# check if the referer header is trusted, i.e. exists in trusted_referers dict
if req['headers']['referer'] in trusted_referers:
return True
# Block requests without a strict cookie
return False
important
It is not guaranteed that every request will contain the Referer header (e.g. extensions can strip the header) which could potentially break an application. Also be aware that it is possible to set the value of
Referer
tonull
.Twitter deployed 1 a similar protection against XS-Leaks.