Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-04 Thread Mike Wilson 
Justin Lebar wrote:
 Mike Wilson wrote:
  The result is that the address bar URL can't be trusted, as
  any page on the site can impersonate any other without
  consent from that page or part of the site?
 
 Someone will correct me if I'm wrong, but I think this is already
 pretty much the case with today's same-origin policy, albeit with a
 bit more work.  My understanding is that if A and B have the same
 origin, they can do whatever they want to each others' documents,
 including modifying content.  So if you can control script at
 http://google.com/~mwilson , and a user has both your site and
 http://google.com/securesite , then your malicious page can do
 whatever it wants to the secure page.
 
 That's why it's important that you trust all the javascript which runs
 on your origin.

Ian Hickson wrote:
 The Web has a same-origin security model. If you're sharing 
 one origin between two untrusted authors, you've already lost.
 
 For example, today you could already do what you describe -- just use 
 window.open() to open the topclientsonly/login page, and then inject 
 script to grab the password.

Yes of course, should have thought about that :-P. As
you say, it is trivial to add a frame that displays 
the victim page and then patch it to my needs.
Well, if there will ever be a path-based security
mechanism (as suggested in my other thread) I guess 
it could apply to pushState as well.

Thanks
Mike

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Ian Hickson 
On Mon, 31 Aug 2009, Mike Wilson wrote:
 Ian Hickson wrote:
  On Fri, 21 Aug 2009, Mike Wilson wrote:
  
   I'm currently wrapping my head around the notion of 
   first script in the spec [1]. It's description is 
   a bit terse and the subject seems non-trivial, so 
   maybe the text could be fleshed out some?
   
   Section 6.1.5 Groupings of browsing contexts 
   says:
   | Each unit of related similar-origin browsing 
   | contexts can have a first script which is used to 
   | obtain, amongst other things, the script's base 
   | URL to resolve relative URLs used in scripts 
   | running in that unit of related similar-origin 
   | browsing contexts. Initially, there is no first 
   | script.
   
   Does this implicitly say that this set of browsing 
   contexts should never execute script in parallel?
  
  No, that is implied by the event loop mechanism.
  
 http://www.whatwg.org/specs/web-apps/current-work/#event-loops
 
 Ah thanks, that made it clear. 6.1.5 might get a little easier to 
 understand if some text mentioned the shared event loop for this set of 
 browsing contexts, or linked to 6.5.4.

Done.


 /pages/page1.html:
   script src=/scripts/script1.js
   *1  button onclick=func1();
   
 /scripts/script1.js:
   function func1() { ... }
   *2  func1();
   
   What is regarded as *first script* in these two 
   calls to func1() ?
   *1: the implicitly generated event handler wrapper 
   in /pages/page1.html ?
   *2: /scripts/script1.js
  
  Yes.
  
   [...]
   Imagine that I want my loaded page:
 /pages/section1/thing1
   be able to impersonate:
 /pages/section2/thing2
   how do you envision this to be structured? 
   
   Something like this? :
   
 /pages/section1/thing1:
   script src=/pages/script.js
   button onclick=impersonate();
   
 /pages/script.js:
   function impersonate() {
 ...pushState(..., /pages/section2/thing2);
   }
  
  That would do it, yes.
 
 Per *1 in the first example, wouldn't the first script
 (corresponding to the button click) be the implicitly 
 generated event handler in:
   /pages/section1/thing1
 with a basedir of
   /pages/section1
 thereby making the call to:
   ...pushState(..., /pages/section2/thing2);
 throw SECURITY_ERR in step 2.2 of the pushState
 algorithm?

No, why?

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Mike Wilson 
Ian Hickson wrote:
 
 On Mon, 31 Aug 2009, Mike Wilson wrote:
  
  Ian Hickson wrote:
  
   On Fri, 21 Aug 2009, Mike Wilson wrote:
   
[...]
Imagine that I want my loaded page:
  /pages/section1/thing1
be able to impersonate:
  /pages/section2/thing2
how do you envision this to be structured? 

Something like this? :

  /pages/section1/thing1:
script src=/pages/script.js
button onclick=impersonate();

  /pages/script.js:
function impersonate() {
  ...pushState(..., /pages/section2/thing2);
}
   
   That would do it, yes.
  
  [...] wouldn't the first script
  (corresponding to the button click) be the implicitly 
  generated event handler in:
/pages/section1/thing1
  with a basedir of
/pages/section1
  thereby making the call to:
...pushState(..., /pages/section2/thing2);
  throw SECURITY_ERR in step 2.2 of the pushState
  algorithm?
 
 No, why?

Because I was interpreting the following from the spec
and your previous mail:
- clicking the button will trigger the anonymous
  event handler in /pages/section1/thing1 and will 
  result in activating a first script with 
  basedir=/pages/section1
- when the anonymous event handler calls into the
  impersonate() function defined in /pages/script.js
  the initial script (and basedir) remains as first 
  script and does not activate basedir=/pages
- calling pushState(..., /pages/section1/thing2) when
  first script's basedir=/pages/section1 will be ok
- calling pushState(..., /pages/section2/thing2) when
  first script's basedir=/pages/section1 will not be 
  allowed (and throw).

Is any of these wrong?

Best regards
Mike

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Ian Hickson 
On Thu, 3 Sep 2009, Mike Wilson wrote:

 - calling pushState(..., /pages/section1/thing2) when
   first script's basedir=/pages/section1 will be ok

 - calling pushState(..., /pages/section2/thing2) when
   first script's basedir=/pages/section1 will not be 
   allowed (and throw).
 
 Is any of these wrong?

The path part of the URL is ignored when deciding whether or not to allow 
the call.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Mike Wilson 
Ian Hickson wrote:
 
 On Thu, 3 Sep 2009, Mike Wilson wrote:
 
  - calling pushState(..., /pages/section1/thing2) when
first script's basedir=/pages/section1 will be ok
 
  - calling pushState(..., /pages/section2/thing2) when
first script's basedir=/pages/section1 will not be 
allowed (and throw).
  
  Is any of these wrong?
 
 The path part of the URL is ignored when deciding whether or 
 not to allow the call.

Rereading the spec again I see that. Sorry, my bad :-S
I see now that the first script's url is only used to keep 
pushState on the same origin, while I was expecting it to
keep pushState urls on the same sub branch path.

But doesn't this open up a fairly bad security exploit?

Let's say that I have rights to post to a blog on:
  www.corporatesite.com/fan/blog
Assuming I can get some JavaScript inside one of my blog
posts, I can then pretend I am redirecting the user to:
  www.corporatesite.com/topclientsonly/login
while I am really impersonating that page through pushState
and harvesting their passwords.

The result is that the address bar URL can't be trusted, as
any page on the site can impersonate any other without 
consent from that page or part of the site?

Best regards
Mike

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Ian Hickson 
On Fri, 4 Sep 2009, Mike Wilson wrote:
 
 Let's say that I have rights to post to a blog on:
   www.corporatesite.com/fan/blog
 Assuming I can get some JavaScript inside one of my blog
 posts, I can then pretend I am redirecting the user to:
   www.corporatesite.com/topclientsonly/login
 while I am really impersonating that page through pushState
 and harvesting their passwords.

The Web has a same-origin security model. If you're sharing one origin 
between two untrusted authors, you've already lost.

For example, today you could already do what you describe -- just use 
window.open() to open the topclientsonly/login page, and then inject 
script to grab the password.


 The result is that the address bar URL can't be trusted, as any page on 
 the site can impersonate any other without consent from that page or 
 part of the site?

That's already the case.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-09-03 Thread Justin Lebar 
Mike Wilson wrote:
 The result is that the address bar URL can't be trusted, as
 any page on the site can impersonate any other without
 consent from that page or part of the site?

Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work.  My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content.  So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.

That's why it's important that you trust all the javascript which runs
on your origin.

-Justin

Re: [whatwg] first script and impersonating other pages - pushState(url)

2009-08-31 Thread Mike Wilson 
Ian Hickson wrote:
 
 On Fri, 21 Aug 2009, Mike Wilson wrote:
 
  I'm currently wrapping my head around the notion of 
  first script in the spec [1]. It's description is 
  a bit terse and the subject seems non-trivial, so 
  maybe the text could be fleshed out some?
  
  Section 6.1.5 Groupings of browsing contexts 
  says:
  | Each unit of related similar-origin browsing 
  | contexts can have a first script which is used to 
  | obtain, amongst other things, the script's base 
  | URL to resolve relative URLs used in scripts 
  | running in that unit of related similar-origin 
  | browsing contexts. Initially, there is no first 
  | script.
  
  Does this implicitly say that this set of browsing 
  contexts should never execute script in parallel?
 
 No, that is implied by the event loop mechanism.
 
http://www.whatwg.org/specs/web-apps/current-work/#event-loops

Ah thanks, that made it clear. 6.1.5 might get a little
easier to understand if some text mentioned the shared 
event loop for this set of browsing contexts, or linked 
to 6.5.4.

/pages/page1.html:
  script src=/scripts/script1.js
  *1  button onclick=func1();
  
/scripts/script1.js:
  function func1() { ... }
  *2  func1();
  
  What is regarded as *first script* in these two 
  calls to func1() ?
  *1: the implicitly generated event handler wrapper 
  in /pages/page1.html ?
  *2: /scripts/script1.js
 
 Yes.
 
  [...]
  Imagine that I want my loaded page:
/pages/section1/thing1
  be able to impersonate:
/pages/section2/thing2
  how do you envision this to be structured? 
  
  Something like this? :
  
/pages/section1/thing1:
  script src=/pages/script.js
  button onclick=impersonate();
  
/pages/script.js:
  function impersonate() {
...pushState(..., /pages/section2/thing2);
  }
 
 That would do it, yes.

Per *1 in the first example, wouldn't the first script
(corresponding to the button click) be the implicitly 
generated event handler in:
  /pages/section1/thing1
with a basedir of
  /pages/section1
thereby making the call to:
  ...pushState(..., /pages/section2/thing2);
throw SECURITY_ERR in step 2.2 of the pushState
algorithm?

Best regards
Mike