Solving Clickjacking - HTTP 203

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
JAKE ARCHIBALD: So what are you doing this evening? I don't know. I don't have any small talk. I didn't become a developer to do small talk. It's literally why I became a developer, because I can't. SURMA: Maybe we can sneak out and just replace ourselves with-- SPEAKER: And action. [MUSIC PLAYING] JAKE ARCHIBALD: So. SURMA: So. JAKE ARCHIBALD: So. SURMA: We haven't used it in the last two episodes. JAKE ARCHIBALD: We're using it now, and we're going to use it a lot. So-- SURMA: So. JAKE ARCHIBALD: --I want to talk about clickjacking. SURMA: Oh, yes. JAKE ARCHIBALD: Now, this is a hack that was discovered in the 2000s. SURMA: Yeah. JAKE ARCHIBALD: And this is where you'd have a setup like this. You have a button that's part of a website, and then you have this, which is an iframe to another website. SURMA: Mm-hm. Another website. JAKE ARCHIBALD: Some other website, some other social media site. And the idea is, you click that, and it will like this page. It's bringing an interactive element from another site onto your site. Yes, and because it's an iframe, any clicks that are happening there will be owned by the iframe-- SURMA: Yeah. [INTERPOSING VOICES] JAKE ARCHIBALD: --rather than the parent page-- SURMA: Yes. JAKE ARCHIBALD: --to the point where, in order to drag this around, I've had to add this little bit here, which is part of the parent page, because if I do that, the click goes into the iframe and I can't control it. So clickjacking was this thing where people would abuse this feature by tricking people to like a page, buy something, or generally interact with a site that they don't think they're interacting with. And what would happen is, they would put a button, like, over the top, like this, but then make it-- SURMA: This is the worst clickjacking attempt I've ever seen! JAKE ARCHIBALD: This is great! And then you'll get-- SURMA: You want to click this. Click me, please. JAKE ARCHIBALD: I would fall for it. SURMA: Please, sir! JAKE ARCHIBALD: I would fall for it. I'm quite stupid. But it'll give it [INAUDIBLE]. So when you click that, that would go down into the iframe and you've liked the page. Another way of doing it would be to put the Like button on top, but bring the opacity of it down. So you're clicking there, but you're actually clicking on the iframe, which is on top. Oh, various other tricks you could do by visually obscuring it like that and tricking the user to click it. They don't realize it's-- although that content is controlled by the other site, you've done something to it to the point where it's no longer legible. Another one would be to put a message there and just encourage the user tech click on this little bit here. And the context of the actual button is gone, because you've covered it up [INAUDIBLE] with this. So this was a problem. SURMA: Yes. JAKE ARCHIBALD: This is a problem that they had to fix. And they fixed it in sort of 2009-2010, depending on the browser. And this was the solution. SURMA: The X-Frame Options header. JAKE ARCHIBALD: And this is another one of the things in the web platform that should have been the default. But because it wasn't there at the start-- SURMA: Just like cause. JAKE ARCHIBALD: --just like cause and like no cause blah, blah, blah. So you put this header, and that says, I cannot be in an iframe-- SURMA: OK. JAKE ARCHIBALD: --because, as well as things like Like buttons, what people were doing was creating like a whack-a-mole game, where you're playing whack-a-mole, like, oh, blip, blip, blip, blip. SURMA: Oh! Then suddenly, Like button. JAKE ARCHIBALD: No, but what you didn't know was there was an iframe over the top of, like, Amazon, and those moles were appearing in the places where you would navigate your way through Amazon and buy a thing. SURMA: Wow. JAKE ARCHIBALD: And that was one of the hacks that you could actually get the user to navigate around the site. And if you knew roughly where the buttons were going to be-- SURMA: That's pretty amazing. JAKE ARCHIBALD: Yes. So this was the solution for that. SURMA: But the social button thing works with iframes to this day, right? JAKE ARCHIBALD: They want to be iframes. So what you'll see that happens now is you click on the Like button, and it will open a new tab or a pop-up window-- SURMA: [INAUDIBLE] Like again. JAKE ARCHIBALD: --that is just to the social media site or to whatever site, and that is where you have to complete the final interaction, because that's the only time it's safe. SURMA: So basically, the embedder took responsibility for this at that point. JAKE ARCHIBALD: Yes, exactly that. SURMA: Embedee. JAKE ARCHIBALD: Yes. And then, because it's safe then, because the other site can't render anything over the top. But people are asking now, can we fix this? Can we make this actually work, so you don't have to go off to the other site? Can we make this safe? And in order to do this, as the owner of this button, I would need to confirm that nothing has messed with the rendering of the button in any sort of way. Like nothing's on top of it, but also, I haven't been blurred, I haven't had filters applied, I haven't had anything that is going to trick the user into doing something-- SURMA: It's interesting, because-- JAKE ARCHIBALD: --that I'm not aware of. SURMA: --this button probably is still an iframe, so it hasn't-- JAKE ARCHIBALD: Yes. SURMA: --really have any context of what the other site is doing to that iframe. JAKE ARCHIBALD: Exactly. SURMA: And the IntersectionObserver already does this a little bit, because it has this feature where-- oh, it's the first API, that's what I want to say. IntersectionObserver is the first API I've heard of that can penetrate iframes in a way, because it can track invisibility even if you're inside an iframe. JAKE ARCHIBALD: Yeah, there's a couple of APIs that give you information about iframes. There's the ancestorOrigins property that will, as an iframe, tell you what the origins of the parent iframes are. SURMA: Oh, I didn't know that one! Interesting. JAKE ARCHIBALD: That's a security feature. But as you say, IntersectionObserver, why do you know so much about this? Look who wrote the article! SURMA: That was me. JAKE ARCHIBALD: It's Mr. Surma. Yes, as you say, the IntersectionObserver will tell you when an element-- oh, you've got a lovely demo here-- is visible or not. And it works in an iframe. SURMA: So either you can scroll the iframe out of view or you can scroll the content inside the iframe out of view, and both times, the sections will be able to tell you if you are visible, which was made for stuff like ads who want to know if they're actually visible, so you get paid for it, or similar things. JAKE ARCHIBALD: Yes, or lazy loading-- SURMA: Lazy loading as well. True. JAKE ARCHIBALD: --stop/starting animations until they come into view. It's one of my favorite additions to the web, actually. It makes a bunch of stuff a lot simpler. SURMA: Apparently ResizeObserver is better. JAKE ARCHIBALD: ResizeObserver is amazing. I think this came out a year previously, didn't it? SURMA: Oh, that's right. JAKE ARCHIBALD: So it didn't make it into our competition. SURMA: If you don't know what we're talking about, watch our "HTTP 203" Christmas 2018 feature rundown. JAKE ARCHIBALD: You're great at these. Oh, we got to get those Likes and Subscribes. IntersectionObserver is looking at solving the clickjacking problem. SURMA: Cool! All right. JAKE ARCHIBALD: So this is in IntersectionObserver v2, which is in Canary right now, behind the Experimental Web Platform Features flag. SURMA: OK. JAKE ARCHIBALD: So this is what IntersectionObserver looks like right now. And do you know what? I don't like this API pattern. SURMA: No, I'm not a big fan. JAKE ARCHIBALD: It's super weird. It feels inside out. SURMA: Yeah, and you always have the entries, but most of the time, you only get one entry. JAKE ARCHIBALD: One entry. Yeah, I find it a really weirdly designed API. But we'll gloss over that. This is the new bit. SURMA: Oh, options. JAKE ARCHIBALD: So in the options, you say you want to track visibility. Now, IntersectionObserver calls this thing visibility. SURMA: Which is what the original IntersectionObserver already-- JAKE ARCHIBALD: Yes. I think this is badly named. SURMA: The IntersectionObserver's kind of correctly and both bad named, because, yes, it tracks intersections with your viewport, but it's also kind of called visibility. But to be fair, you can use IntersectionObserver to track actual intersections, even off-screen, by changing what it is relative to. So fair game. But still, it's very confusing this is now called visibility. JAKE ARCHIBALD: Yeah, and I think they might rename it, but they're kind of like-- I said, I think this is badly named. And they said, well, what name should it be? And I went-- SURMA: Obscuredness. JAKE ARCHIBALD: Yeah, and I said something like that, definitely not being clickjacked. I don't know. I don't know. So I don't know. You have to supply the delay property. Because this is a more expensive bit of computation, you have to give it a delay, which just sort of de-bounces the amount of times you hear about it. SURMA: Why do I have to go? Why is this-- sets? How low can I go? JAKE ARCHIBALD: That is as low as you can go. SURMA: OK. JAKE ARCHIBALD: 100 is as low as you can go. You can go higher. But 100 is as low as can go. SURMA: But you can be nice and tell the browser, I don't need to know this often. Like-- JAKE ARCHIBALD: Yeah, this is low-- SURMA: --just take your time. JAKE ARCHIBALD: --priority, just-- SURMA: OK. That's actually nice. JAKE ARCHIBALD: --I don't mind. And then in your doodad thingy-bob, callback here, in the entries, it tells you it's visible, and it'll-- SURMA: [INAUDIBLE] obscures. JAKE ARCHIBALD: Yes, well, the opposite. SURMA: It's not obscured. JAKE ARCHIBALD: It's not obscured. Yes, see, it's gray if you [INAUDIBLE].. I think it's really good. The naming aside, the functionality is really good. And what I'm going to do is enable it. There we go. SURMA: Cool. JAKE ARCHIBALD: OK, so now it's the same as before. There's just a bit of extra code running in here that knows when it's-- SURMA: It loads. JAKE ARCHIBALD: --being hijacked or whatever. So you can see, I can sort of move this around and everything's fine. SURMA: Oh, cool. Not obscured. JAKE ARCHIBALD: So I'm going to try the hack now where I'm going to put the button over there, and I'm going to change the opacity. And as soon as I change the opacity, it's like, nah. SURMA: Can't tell for sure, I guess. They're being conservative about this, aren't they? JAKE ARCHIBALD: Absolutely, and that's what the aim of this is right now is it doesn't care so much if there's false positives. They don't want false negatives. It wants to play on the safe side. SURMA: So they want to basically have 100% success rate of-- they want to get all the obscured cases at the cost of maybe saying you're obscured when you're not actually obscured. JAKE ARCHIBALD: Yep. Yep. And the same goes for other things, like filters. So if I bring the blur here-- SURMA: No. JAKE ARCHIBALD: As soon as it's blurred to any degree-- because you don't know what that button actually means, but it knows that it's being messed around with. And same here. As soon as there's an intersection, it's like, nope. So you can't do the trick where you encourage someone to click there. And one thing I thought was quite nice-- and I'm going to move that to there-- if I apply some blur to this, you'll see eventually, eventually, as it gets blurry, it triggers it. SURMA: Oh, because there's a tiny, little blur overlapping into-- JAKE ARCHIBALD: Yes, so it's not just intersecting at a layout level. It's intersecting at a paint level. SURMA: That's really good. JAKE ARCHIBALD: And that's because this element is appearing on top. But as soon as I make that one appear on top, it's fine, because it's on the top level. SURMA: Cool. JAKE ARCHIBALD: Yeah, that's really it. SURMA: That's really interesting. JAKE ARCHIBALD: And it's designed to detect things like clip-path, scrolling, anything that would be-- SURMA: Yeah, I'm guessing-- JAKE ARCHIBALD: [INAUDIBLE] SURMA: --they spend a lot of time going through all the possible ways you can mess around with obscuring and hiding and pretending to be there when you're actually not. JAKE ARCHIBALD: And there's more work to do. It's still a work in progress. I filed a few bugs recently where I found someone's like, oh, I can actually do this and it doesn't realize. So those will be fixed before launching. But the idea is we can start bringing back this behavior that we used to have before we figured out it was-- SURMA: Actual compatible, composable widgets. JAKE ARCHIBALD: Yeah, so you can click Like, it will actually work, or even a Buy Now button, and it will do the right thing. SURMA: You know that you can detect if this is legit click or not. JAKE ARCHIBALD: Exactly. And that's the important detail is the owner of the button knows what's happening to it. SURMA: So it's still the responsibility of the embeddee to make sure the click is legit. JAKE ARCHIBALD: Yes. SURMA: But now they can at a reliable level, because before this was practically impossible, no way to tell if there was content on top, I think. JAKE ARCHIBALD: Exactly. Yes, there was no way of doing this beforehand. This is entirely new. SURMA: So you said this is in Canary right now. JAKE ARCHIBALD: In Canary right now. SURMA: Do we have any signals from other people? I feel like this is something that, historically, Apple would be interested in, in securing these kind of things on the web. JAKE ARCHIBALD: There's definitely interest. It's something that the owners of these kind of buttons are very interested in. SURMA: Yeah, I can imagine. JAKE ARCHIBALD: So it's sort of popular with them. Right now, I think the other browsers are happy for Chrome to experiment and to prove that the API can actually work, can be done, and be fast, because you don't want just using this API to break the performance of the web. SURMA: That's true. JAKE ARCHIBALD: And that's what we're working on now. I have no more content. It's all done. That's it. This sheet of paper, done! That was it. SURMA: Tablet, done! JAKE ARCHIBALD: What did you want, another half an hour episode? SURMA: Yeah, tell me about something. He doesn't say cut. What do we do?
Info
Channel: Google Chrome Developers
Views: 26,451
Rating: 4.9425149 out of 5
Keywords: Chrome, Developers, Google, Web, Solving Clickjacking, clickjacking, intersection observer V2, Chrome OS, Chrome Developers, http 203, http203, GDS: Yes;
Id: EIH6IQgwdAc
Channel Id: undefined
Length: 12min 8sec (728 seconds)
Published: Tue Apr 02 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.