More control with Clear-Site-Data and Feature-Policy

W3C and WICG (Web Incubator CG) keep pushing out new defense technologies this year. This article will shortly describe two new headers. We will discuss their functionality, how they can protect the user and finally some considerations.

These headers differ from other security headers because they are designed for modern web browsers. With new features you often widens the attack surface, and these headers may be a good solution to that problem.

These technologies are both in draft and will most definitely change at any point in time. However, it's interesting to write about these technologies because they give a hint about the current security and privacy issues which we face on the web - these technologies are created for a reason.


Clear Site Data

Clear Site Data is a response header that informs the browser that it should clear data related to the origin that sent the request. This header will most probably be expanded in the future to include more forms of storage that it can clear. As of right now, Clear-Site-Data can clear the local,- and session storage, cache and cookies. This header can provide both privacy and security which makes it quite unique.

Cache is hard to define as it differs depending on browser. What is certain is that cached resources downloaded from the web server will be cleared. Other cache such as HSTS/HPKP and SCDH maybe fall into the category that will be cleared. Perhaps will the header follow Chrome's storage model:

The response header is easy to use, but note that this header is quite different from other headers because it should only be used in certain responses, for example when the user logs out or presses a button that will clear the cache.

Example:

example.com let users upload pictures. These pictures are private and can not be viewed if you're not authenticated. The website (example.com) sends the response header Clear-Site-Data: cache, cookies when a user logs out to be certain that the browser does not have any pictures saved locally in the cache. An attacker would have the possibility to view these pictures if the attacker had physical access to the web browser at a later time.

Clear Site Data can indeed provide privacy and a lot of security as well. Cache has its privacy considerations, because certain attacks uses the cache as a proof that the user have visited a website or done a certain action (such as submitting a form, clicking on links etc).

Examples of [new and old] privacy attacks related to cache are:

Clear Site Data may have the capability to mitigate present and future cache attacks if deployed correctly. However, the origin that sends the header will still have the possibility to track you; the header will only mitigate privacy attacks focused towards your browser from another origin.

As stated earlier, Clear Site Data may provide security as well. Because the header can inform the browser to clear out its cache - an origin may be able to remove cache that has security implications, such as an XSS that uses cache or storage as persistence.


Feature-Policy

Feature Policy is a mechanism that declares which types of features the browser is allowed to use within the origin. The features are:

  • Cookies
  • document.domain
  • document.write
  • XMLHttpRequest
  • Geolocation API
  • Web MIDI API
  • Push API
  • WebRTC
  • more in the future...

This is a powerful response header that is designed for the future. This header is strictly designed to browsers which uses many of these rich API's listed above.

Feature Policy may provide security and privacy as well. With this header it will be easier to use third party apps such as iframes, Javascript libraries and even flash on your website, because you will have the possibility to lock down the list of supported features in the browser.

This header won't directly provide security, instead it will have the possibility to mitigate pivoting and tracking. Without certain browser functionality it will be harder to do advanced attacks. Some technology may be used in privacy attacks as well.


Summary

Clear Site Data will land in Chrome soon, as you can track here.

With these two new headers it's possible to:

  • Instruct the browser to clear its cache and/or storage at any point
  • Blacklist browser features that you're not using as best practice