Insufficient Site Isolation Against Spectre Vulnerability
ID |
insufficient_site_isolation_against_spectre_vulnerability |
Severity |
low |
Kind |
Access Control |
CWE |
693 |
Description
-
Cross-Origin-Resource-Policy Header Missing or Invalid: Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.
-
Cross-Origin-Embedder-Policy Header Missing or Invalid: Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).
-
Cross-Origin-Opener-Policy Header Missing or Invalid: Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.
Rationale
Without proper cross-origin isolation headers, malicious sites can exploit CPU-level side-channel vulnerabilities like Spectre to read sensitive data from the application’s memory space. An attacker hosting a malicious page can embed or reference the vulnerable application’s resources and use timing attacks to infer private data such as authentication tokens, user information, or API responses. These attacks bypass traditional same-origin policy protections by exploiting speculative execution in modern processors to leak data across security boundaries.
Remediation
Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages. 'same-site' is considered as less secured and should be avoided. If resources must be shared, set the header to 'cross-origin'. If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).