[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
tahoe-lafs
trac at allmydata.org
Tue Feb 10 00:24:29 PST 2009
#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
---------------------+------------------------------------------------------
Reporter: zooko | Owner: nobody
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.3.0
Keywords: | Launchpad_bug:
---------------------+------------------------------------------------------
Several web security experts (who will remain unnamed in this ticket since
they have yet to show me a working exploit) have said that if have a page
containing JavaScript in one window or tab of a web browser, and you have
another page in a different window or tab of that browser, that the web
browser will inspect the "origin" of the JavaScript and the "origin" of
the other page to decide whether the JavaScript will be allowed to read or
change parts of the other page (including its URL).
By "origin", these web security experts tell me, web browsers mean "host
and port number" (or possibly they look at only the top two elements of
the host domain name). Since all pages that are stored on tahoe and that
you are viewing in a web browser are coming from the same host (sometimes
localhost or 127.0.0.1) and port number, this means any JavaScript that
you view through your tahoe node can access all the URLs of all the other
pages you have loaded (or possibly have ever loaded since you launched
your browser) from Tahoe. (Furthermore, just to make things worse, these
web security experts allege that it might be possible for the JavaScript
program to ''stay running'' in your browser even after you close that tab
or window and continue to access your other tabs or windows which were
loaded from the same "origin".)
If true, this is bad. Because those other pages, while they are loaded
from the same host and portnumber, could actually be from very different
''origins''. One might be a cute game that you want to play that was
passed along from a friend of a friend. Another might be your personal
finance database with all of your bank account numbers and billing
information. We would like it if the web browser would allow you to play
the fun game in one window, and edit your personal finance document in
another window, without giving the game the ability to read (and therefore
to upload) or change your personal document. Even though both pages were
loaded from http://127.0.0.1:4567 or from
http://testgrid.allmydata.org:3567 or whatever.
In the long run it might be possible for us to arrange to do this, such as
by embedding a unique string, possibly the verifycap or possibly an
incrementing string, into the domain name, or by taking advantage of some
not-yet-created mechanism to tell web browsers "No, no, these two things
are of different origins even though they are loaded from the same host
and port.".
In the short run, it might be wise to avoid looking at pages in tahoe if
they might have malicious content on them, unless you first turn off
JavaScript in your web browser. Hopefully someone will help us understand
exactly how dangerous this situation is, by posting a working exploit or
some sort of proof that is is safe.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list