Mike West mikewest

## 2021-webappsec-charter.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                mikewest
                / 2021-webappsec-charter.md
            
            
              Created
              January 19, 2021 14:52
            
              
                Discussing a charter for WebAppSec in 2021.
              
          
    WebAppSec Charter 2019

Mission

The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication.
Scope

Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.

  
## existing-style.js
//
// Registration
//
navigator.authentication.makeCredential({
  rpDisplayName: "Acme",
  displayName: "John P. Smith",
  name: "johnpsmith@example.com",
  id: "1098237235409872",
  imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
}, [

## layout-test.js
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
  // IDL stuff.
  test(t => {
    var i = document.createElement('iframe');
    assert_equals("string", i.csp);
  }, "<iframe> has a 'csp' attibute which is a string.");

## adb-screen.sh
#!/bin/sh

if [ -z "$1" ]; then
  shot_path=$(date +%Y-%m-%d-%H-%M-%S).mp4
else
  shot_path="$*"
fi

trap ctrl_c INT

## Sign-In.js
//
// On https://www.eventbrite.com/
//
// First, adjust the `autocomplete` attributes on the email and password form fields:
document.querySelector('#login-email').setAttribute('autocomplete', 'username');
document.querySelector('#login-password').setAttribute('autocomplete', 'current-password');

// Then hook up an event listener to the form to catch typed/autofilled sign-ins:
//
// On the real site, they'd hook this up to the dispatcher that kicks off an XHR to login/:

## Sign-In.js
//
// On https://profile.theguardian.com/signin
//
// Note: This will require relaxing the Content Security Policy on the sign-in page to
// allow `fetch()` to access the signin endpoint at `/actions/signin`.
//
// First, adjust the `autocomplete` attributes on the email and password form fields:
document.querySelector('#signin_field_email').setAttribute('autocomplete', 'username');
document.querySelector('#signin_field_password').setAttribute('autocomplete', 'current-password');

## Sign-In.js
// On https://myaccount.nytimes.com/mobile/login/smart/index.html

navigator.credentials.get({password: true}) // Include `{ ..., 'unmediated': true }` to grab credentials w/o chooser
  .then(c => {
    if (!c)
      return;
    c.additionalData = new FormData(document.querySelector('.loginForm'));
    c.idName = "userid";
    fetch('/mobile/login/smart/index.html', { credentials: c, method:'POST' })
      .then(r => window.location = 'http://mobile.nytimes.com');

## gist:6696216
git grep -n -l -e 'throwDOMException\(\w*\)' -- '*.h' '*.cpp' '*.cc' | \
  xargs -L1 sed -i '' \
    -e 's/throwDOMException(\([a-zA-Z]*\))/throwUninformativeAndGenericDOMException(\1)/g'

## gist:5099876
STDERR: ASSERTION FAILED: m_key != PTHREAD_KEYS_MAX
STDERR: ../../Source/WTF/wtf/ThreadIdentifierDataPthreads.cpp(65) : static ThreadIdentifier WTF::ThreadIdentifierData::identifier()
STDERR: 1   0x87568c6 WTF::ThreadIdentifierData::identifier()
STDERR: 2   0x875829f WTF::currentThread()
STDERR: 3   0x7ecd180 WTF::ThreadRestrictionVerifier::isSafeToUse() const
STDERR: 4   0x7ecc975 WTF::RefCountedBase::ref()
STDERR: 5   0x7ecc4d6 WebKit::WebCString::WebCString(WTF::CString const&)
STDERR: 6   0x7ecc459 WebKit::WebCString::WebCString(WTF::CString const&)
STDERR: 7   0x82dfd58 WebKit::WebURL::WebURL(WebCore::KURL const&)
STDERR: 8   0x82dfce9 WebKit::WebURL::WebURL(WebCore::KURL const&)

## chromium.txt
CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-minimal.html. Domains, protocols and ports must match.

CONSOLE MESSAGE: line 20: Exception! TypeError

Exception! TypeError
	//
	// Registration
	//
	navigator.authentication.makeCredential({
	rpDisplayName: "Acme",
	displayName: "John P. Smith",
	name: "johnpsmith@example.com",
	id: "1098237235409872",
	imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
	}, [
	<!DOCTYPE html>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script>
	// IDL stuff.
	test(t => {
	var i = document.createElement('iframe');
	assert_equals("string", i.csp);
	}, "<iframe> has a 'csp' attibute which is a string.");
	#!/bin/sh

	if [ -z "$1" ]; then
	shot_path=$(date +%Y-%m-%d-%H-%M-%S).mp4
	else
	shot_path="$*"
	fi

	trap ctrl_c INT
	//
	// On https://www.eventbrite.com/
	//
	// First, adjust the `autocomplete` attributes on the email and password form fields:
	document.querySelector('#login-email').setAttribute('autocomplete', 'username');
	document.querySelector('#login-password').setAttribute('autocomplete', 'current-password');

	// Then hook up an event listener to the form to catch typed/autofilled sign-ins:
	//
	// On the real site, they'd hook this up to the dispatcher that kicks off an XHR to login/:
	//
	// On https://profile.theguardian.com/signin
	//
	// Note: This will require relaxing the Content Security Policy on the sign-in page to
	// allow `fetch()` to access the signin endpoint at `/actions/signin`.
	//
	// First, adjust the `autocomplete` attributes on the email and password form fields:
	document.querySelector('#signin_field_email').setAttribute('autocomplete', 'username');
	document.querySelector('#signin_field_password').setAttribute('autocomplete', 'current-password');
	// On https://myaccount.nytimes.com/mobile/login/smart/index.html

	navigator.credentials.get({password: true}) // Include `{ ..., 'unmediated': true }` to grab credentials w/o chooser
	.then(c => {
	if (!c)
	return;
	c.additionalData = new FormData(document.querySelector('.loginForm'));
	c.idName = "userid";
	fetch('/mobile/login/smart/index.html', { credentials: c, method:'POST' })
	.then(r => window.location = 'http://mobile.nytimes.com');
	git grep -n -l -e 'throwDOMException\(\w\)' -- '.h' '.cpp' '.cc' \| \
	xargs -L1 sed -i '' \
	-e 's/throwDOMException(\([a-zA-Z]*\))/throwUninformativeAndGenericDOMException(\1)/g'
	STDERR: ASSERTION FAILED: m_key != PTHREAD_KEYS_MAX
	STDERR: ../../Source/WTF/wtf/ThreadIdentifierDataPthreads.cpp(65) : static ThreadIdentifier WTF::ThreadIdentifierData::identifier()
	STDERR: 1 0x87568c6 WTF::ThreadIdentifierData::identifier()
	STDERR: 2 0x875829f WTF::currentThread()
	STDERR: 3 0x7ecd180 WTF::ThreadRestrictionVerifier::isSafeToUse() const
	STDERR: 4 0x7ecc975 WTF::RefCountedBase::ref()
	STDERR: 5 0x7ecc4d6 WebKit::WebCString::WebCString(WTF::CString const&)
	STDERR: 6 0x7ecc459 WebKit::WebCString::WebCString(WTF::CString const&)
	STDERR: 7 0x82dfd58 WebKit::WebURL::WebURL(WebCore::KURL const&)
	STDERR: 8 0x82dfce9 WebKit::WebURL::WebURL(WebCore::KURL const&)
	CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-minimal.html. Domains, protocols and ports must match.

	CONSOLE MESSAGE: line 20: Exception! TypeError

	Exception! TypeError