Mozilla is pleased to announce that Firefox 90 will support the acquisition function based on metadata request headers, enabling Web applications to protect themselves and users from various cross-origin threats. It is reported that such threats cover cross-site request forgery (CSRF), cross-site leakage (XS-Leaks), and speculative cross-site execution side-channel (Spectre) attacks.
Behind the cross-site attack, it actually involves the basic security issues of the Web. Due to its open nature, it is difficult to allow the Web server to strictly distinguish between requests from its own application (browser tab) or requests from malicious (cross-site) applications that may be opened in different ways.
As shown in the figure above, suppose the user logs in to the bank website hosted at https://banking.com and carries out certain activities related to online banking. At the same time, websites controlled by malicious attackers can also be opened in different browser tabs and perform some malicious operations from https://attacker.com.
Therefore, in the process of normal user interaction, the online banking web server may receive some exceptional operations, but it is almost impossible to distinguish whether the operation was initiated by the user or the malicious attack code in another tab.
As a result, online banking or common web application servers rigidly accept arbitrary operations and allow related attacks to be launched. The good news is that starting from Firefox 90, Mozilla will allow Web browsers to obtain metadata (Sec-Fetch-*) through HTTP request headers, allowing Web servers to better distinguish requests from same-origin/cross-site attacks.
With the additional context provided in the Sec-Fetch-* series of request headers (supporting the four request headers of Dest, Mode, Site, and User), the webserver will be able to reject or ignore malicious requests with an eye on it.
The enabling of the Fetch Metadate request header can bring a defense-in-depth mechanism for various web application services. In addition, Firefox will soon launch a new site isolation security architecture to further solve some of the above problems.
