All­ge­mein

Be­treu­er: Lukas Knit­tel, Do­mi­nik Noß

Wei­te­re De­tails:

Be­schrei­bung

XS-Leaks are si­de-chan­nels at­tacks that allow at­tacks to infer cross-ori­gin in­for­ma­ti­on from the brow­sers be­ha­viour. For ex­amp­le, an iframe can have two sub-fra­mes when the user is log­ged in, and three if is not log­ged in.

Some of those XS-Leaks are al­re­a­dy found in the spe­ci­fi­ca­ti­ons. For ex­amp­le, the Pay­ment API spe­ci­fies that "a pay­ment hand­ler can re­strict the user agent to show­ing only one pay­ment UI across all brow­ser win­dows and tabs".

(https://​www.​w3.​org/​TR/​2020/​CR-payment-request-20201203/#​using-with-cross-origin-iframes)

The phra­se "only one across all win­dows" has a catch: If a tab can sense that it is for­bid­den to open a pay­ment UI, it can infer that ano­ther tab is cur­rent­ly using it. Voila, XS-Leaks.

W3C of­fers a list of spe­ci­fi­ca­ti­ons:

• https://​www.​w3.​org/​TR/?​tag=webapi

Ad­di­tio­nal­ly, the four big ones are HTML, CSS, DOM and Ja­va­Script:

• html.​spec.​whatwg.​org/​
• dom.​spec.​whatwg.​org
• www.​w3.​org/​Style/​CSS/​specs.​en.​html
• www.​ecma-in­ter­na­tio­nal.​org/​

Scope for Ba­che­lor: the w3c web api list.

Scope for Mas­ter: the w3c web api spec list and one (1) of the big ones.

Your task is to delve into the many spe­ci­fi­ca­ti­ons and find all such hi­d­den pit­falls, de­li­ver­ing an ag­gre­ga­ted list of pos­si­bly novel XS-Leaks.

Vor­aus­set­zun­gen

Know­ledge on XS-Leaks. Skills in Ja­va­Script, english, web se­cu­ri­ty.