Update Flash-related aspects of the Site Isolation threat model.

Bug: 816318, 874515 Change-Id: I8d165ec355036f8c190bb21e1c50ee8f9b6a4d5a Reviewed-on: https://chromium-review.googlesource.com/1176389Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#584459}

Update Flash-related aspects of the Site Isolation threat model.
Bug: 816318, 874515 Change-Id: I8d165ec355036f8c190bb21e1c50ee8f9b6a4d5a Reviewed-on: https://chromium-review.googlesource.com/1176389Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#584459}
7d706632 · Lukasz Anforowicz · Commit Bot · 958b1b6b · 7d706632
Commit 7d706632 authored Aug 20, 2018 by Lukasz Anforowicz Committed by Commit Bot Aug 20, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 8 deletions

docs/security/side-channel-threat-model.md docs/security/side-channel-threat-model.md +12 -8

No files found.
--- a/docs/security/side-channel-threat-model.md
+++ b/docs/security/side-channel-threat-model.md
@@ -140,14 +140,12 @@ malicious website from pulling in sensitive cross-origin data. Otherwise, an
 attacker could use markup like `<img src="http://example.com/secret.json">` to
 get cross-origin data within reach of Spectre or other OOB-read exploits.
-As of M63, CORB protects:
+As of M65, CORB protects:
 * HTML, JSON, and XML responses.
-   * Protection requires the resource to be served with the correct
+  Protection requires the resource to be served with the correct
-     `Content-Type` header. [We recommend using `X-Content-Type-Options:
+  `Content-Type` header. [We recommend using `X-Content-Type-Options:
-     nosniff`](https://www.chromium.org/Home/chromium-security/ssca).
+  nosniff`](https://www.chromium.org/Home/chromium-security/ssca).
-   * In M65 we broadened which content types are considered JSON and XML. (E.g.
-     M63 didn’t consider `*+xml`.)
 * text/plain responses which sniff as HTML, XML, or JSON.
 Today, CORB doesn’t protect:
@@ -161,6 +159,7 @@ Today, CORB doesn’t protect:
   * `font/*`
   * `application/javascript`
   * PDFs, ZIPs, and other unrecognized MIME types
+* Responses to requests initiated from the Flash plugin.
 Site operators should read and follow, where applicable, [our guidance for
 maximizing CORB and other defensive
@@ -210,8 +209,13 @@ tracked this as [Issue
 ###### Flash
 Click To Play greatly reduces the risk that Flash-borne Spectre (and other)
-exploits will be effective at scale. Even so, [we might want to consider SI for
+exploits will be effective at scale.  Additionally, the enterprise policies
-Flash](https://bugs.chromium.org/p/chromium/issues/detail?id=816318).
+[PluginsBlockedForUrls](https://www.chromium.org/administrators/policy-list-3#PluginsBlockedForUrls)
+and
+[PluginsAllowedForUrls](https://www.chromium.org/administrators/policy-list-3#PluginsAllowedForUrls)
+can be combined to restrict Flash to specific websites.
+Even so,
+[we might want to consider teaching CORB about Flash flavour of CORS](https://crbug.com/816318).
 ##### All Frames In A `<webview>` Run In The Same Process