DEV Community

Cover image for How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?
Beto Muniz
Beto Muniz

Posted on • Edited on • Originally published at betomuniz.com

How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?

A brief and useful content about the mechanics on Cross-Origin Read Blocking, Cross-Origin Resource Policy and Cross-Origin Resource Sharing against Meltdown, Spectre and CSRF Attacks.


CORB

By design, Cross-Origin Read Blocking validates browser requests before they even reach the server using their MIME type as a validation rule.

To enable it, send the HTTP header X-Content-Type-Options: nosniff from the server.


CORP

Cross-Origin Resource Policy is a complementary CORB mechanism for validation applied to requests flagged with no-cors to invalidate them if they came from different domains or origin.

Send the header Cross-Origin-Resource-Policy from the server with values same-origin or same-site to invalidate no-cors requests from different domains or origin.


CORS

Cross-Origin Resource Sharing is a logical context mechanism that ensures minimal security in the way that users consume web content using browsers instructing how the browser will validate the origin of the requests.

To define rules about how the origin of the request will be identified, send the HTTP header Access-Control-Allow-Origin using values like <exact_request_origin> and even a more generic approaches using *.


Conclusion

Hope that now you understand a bit better why to use these Cross-Origin Resource features

Try don't disable or ignore them in your web applications. Spectre, CSRF, and Meltdown attacks are really dangerous.

Top comments (5)

Collapse
 
cubiclesocial profile image
cubiclesocial

Meltdown and Spectre are related to hardware branch prediction. CORS, et al don't apply. They only affect shared computing environments like VPS servers and client-side JS in unpatched browsers. You can't do anything in your own code as a defense. Most major OS kernels and web browsers have already been patched to mitigate various exploit vectors.

Collapse
 
obetomuniz profile image
Beto Muniz • Edited

Indeed. CORS is useful only against CSRF due to the post context. About Spectre and Meltdown not be effective through the browsers, I could not agree 100%, since just recently (2 weeks ago) Firefox released Site Isolation in a solid response for such attacks. Still, thinking about thousands of users using outdated or old browsers, create a barrier in your application is a must-have recommendation to ensure an extra layer of security until old or outdated browsers are in use. So don't ignore such features if you can.

Collapse
 
cubiclesocial profile image
cubiclesocial

It's not about ignoring security features in browsers. You are attempting to correlate/associate irrelevant vulnerabilities as being able to be defended against using CORS, etc. That's simply not the case and spreads misinformation.

Thread Thread
 
obetomuniz profile image
Beto Muniz

Not sure what you are meaning about spread misinformation, but for you, CORS can't be used to defend against CSRF attacks? CORP/CORB can't be used against Spectre/Meltdown attacks? I would love to know where you're studying because my references say exactly the opposite.

Thread Thread
 
obetomuniz profile image
Beto Muniz