Specialists from Google have published a PoC code in JavaScript to exploit the Spectre vulnerability, which allows access to information from the memory of web browsers. According to the Google security team, the PoC code to exploit the vulnerability works across a wide range of processor architectures, operating systems, and hardware generations.
Google advises developers to use the new security mechanisms as measures to prevent exploitation of the Spectre vulnerability. In addition to standard defenses such as the X-Content-Type-Options and X-Frame-Options headers, Google recommends enabling the following policies as part of ongoing efforts to prevent Spectre attacks.
Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources such as images or scripts, preventing data from being injected into an attacker-controlled browser rendering process.
The Cross-Origin Opener Policy (COOP) allows developers to ensure that the application window does not receive unexpected interactions with other websites, allowing the browser to isolate it in its own process. This adds important process-level security, especially in browsers that do not support full site isolation.
The Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the app will be loaded. To ensure process-level isolation for highly responsive apps in Chrome or Firefox, apps must include both COEP and COOP policies.
The Google security team has also prototyped a Chrome extension called Spectroscope to help security experts and web developers protect their sites from Spectre attacks. Spectroscope scans applications for resources that might require additional protection against Spectre attacks to be enabled.