Many web applications need to display user-controlled content. This can be as simple as serving user-uploaded images (e.g. profile photos), or as complex as rendering user-controlled HTML (e.g. a web development tutorial). This has always been difficult to do securely, so we’ve worked to find easy, but secure solutions that can be applied to most types of web applications.
The classic solution for securely serving user-controlled content is to use what are known as “sandbox domains”. The basic idea is that if your application's main domain is example.com
, you could serve all untrusted content on exampleusercontent.com
. Since these two domains are cross-site, any malicious content on exampleusercontent.com
can’t impact example.com
.
This approach can be used to safely serve all kinds of untrusted content including images, downloads, and HTML. While it may not seem like it is necessary to use this for images or downloads, doing so helps avoid risks from content sniffing, especially in legacy browsers.
Sandbox domains are widely used across the industry and have worked well for a long time. But, they have two major downsides:
It is also worth noting that sandbox domains help mitigate phishing risks since resources are clearly segmented onto an isolated domain.
Over time the web has evolved, and there are now easier, more secure ways to serve untrusted content. There are many different approaches here, so we will outline two solutions that are currently in wide use at Google.
If a site only needs to serve inactive user content (i.e. content that is not HTML/JS, for example images and downloads), this can now be safely done without an isolated sandbox domain. There are two key steps:
Content-Type
header to a well-known MIME type that is supported by all browsers and guaranteed not to contain active content (when in doubt, application/octet-stream
is a safe choice).
This combination of headers ensures that the response can only be loaded as a subresource by your application, or downloaded as a file by the user. Furthermore, the headers provide multiple layers of protection against browser bugs through the CSP sandbox header and the default-src
restriction. Overall, the setup outlined above provides a high degree of confidence that responses served in this way cannot lead to injection or isolation vulnerabilities.
While the above solution represents a generally sufficient defense against XSS, there are a number of additional hardening measures that you can apply to provide additional layers of security:
X-Content-Security-Policy: sandbox
header for compatibility with IE11
Content-Security-Policy: frame-ancestors 'none'
header to block the endpoint from being embedded
product.usercontent.google.com
)
Cross-Origin-Opener-Policy: same-origin
and Cross-Origin-Embedder-Policy: require-corp
to enable cross-origin isolation
Safely serving active content (e.g. HTML or SVG images) can also be done without the weaknesses of the classic sandbox domain approach.
The simplest option is to take advantage of the Content-Security-Policy: sandbox
header to tell the browser to isolate the response. While not all web browsers currently implement process isolation for sandbox documents, ongoing refinements to browser process models are likely to improve the separation of sandboxed content from embedding applications. If SpectreJS and renderer compromise attacks are outside of your threat model, then using CSP sandbox is likely a sufficient solution.
At Google, we’ve developed a solution that can fully isolate untrusted active content by modernizing the concept of sandbox domains. The core idea is to:
exampleusercontent.com
to the PSL, you can ensure that foo.exampleusercontent.com
and bar.exampleusercontent.com
are cross-site and thus fully isolated from each other.
*.exampleusercontent.com/shim
are all routed to a static shim file. This shim file contains a short HTML/JS snippet that listens to the message
event handler and renders any content it receives.
$RANDOM_VALUE.exampleusercontent.com/shim
and uses postMessage
to send the untrusted content to the shim for rendering.
Compared to the classic sandbox domain approach, this ensures that all content is fully isolated on a unique site. And, by having the main application deal with retrieving the data to be rendered, it is no longer necessary to use capability URLs.
Together, these two solutions make it possible to migrate off of classic sandbox domains like googleusercontent.com
to more secure solutions that are compatible with third-party cookie blocking. At Google, we’ve already migrated many products to use these solutions and have more migrations planned for the next year. We hope that by sharing these solutions, we can help other websites easily serve untrusted content in a secure manner.
Click to Open Code Editor