October 1, 2020
Category Defense

Getting access to a website’s window object is a common prerequisite for different XS-Leak techniques. Framing Protections can ensure that an attacker cannot use iframes to access the window object, but this does not stop an attacker from accessing the window object from an opened window through or window.opener references.

Exploiting XS-Leaks with is generally seen as the least appealing option for an attacker because the user can see it happen in the open browser window. However, it’s usually the right technique when:

To prevent other websites from gaining arbitrary window references to a page, applications can deploy Cross-Origin-Opener-Policy (COOP) 1 2.

There are three possible values for the COOP header:

  • unsafe-none – This is the default value and is how websites behave if no value is set.
  • same-origin – This is the strictest value. If you set same-origin, then cross-origin websites cannot get access to your window object through opening new windows. If your application relies on using to open another website and communicate with it, this will be blocked by same-origin. If this is an issue, set same-origin-allow-popups instead.
  • same-origin-allow-popups – This value allows your website to use, but does not allow other websites to use against your application.

If possible, it is recommended to set same-origin. If you set same-origin-allow-popups, be sure to review what websites you open with and ensure that they are trusted.

Considerations #

Since COOP is an opt-in mechanism and a very recent one, it can easily be overlooked by developers and security engineers. Nonetheless, it’s important to highlight the importance of this defense mechanism as it is the only way to prevent attackers from exploiting XS-Leaks which make use of window references returned by APIs like (unless SameSite Cookies in the Strict mode can be widely deployed).

Deployment #

Check out this article to learn more about the advantages of this protection and how to deploy it.

References #

  1. Cross-Origin-Opener-Policy response header (also known as COOP), link ↩︎

  2. Cross-Origin-Opener-Policy, link ↩︎