[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

tahoe-lafs trac at allmydata.org
Tue Feb 10 08:24:29 UTC 2009

#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
 Reporter:  zooko    |           Owner:  nobody   
     Type:  defect   |          Status:  new      
 Priority:  major    |       Milestone:  undecided
Component:  unknown  |         Version:  1.3.0    
 Keywords:           |   Launchpad_bug:           
 Several web security experts (who will remain unnamed in this ticket since
 they have yet to show me a working exploit) have said that if have a page
 containing JavaScript in one window or tab of a web browser, and you have
 another page in a different window or tab of that browser, that the web
 browser will inspect the "origin" of the JavaScript and the "origin" of
 the other page to decide whether the JavaScript will be allowed to read or
 change parts of the other page (including its URL).

 By "origin", these web security experts tell me, web browsers mean "host
 and port number" (or possibly they look at only the top two elements of
 the host domain name).  Since all pages that are stored on tahoe and that
 you are viewing in a web browser are coming from the same host (sometimes
 localhost or and port number, this means any JavaScript that
 you view through your tahoe node can access all the URLs of all the other
 pages you have loaded (or possibly have ever loaded since you launched
 your browser) from Tahoe.  (Furthermore, just to make things worse, these
 web security experts allege that it might be possible for the JavaScript
 program to ''stay running'' in your browser even after you close that tab
 or window and continue to access your other tabs or windows which were
 loaded from the same "origin".)

 If true, this is bad.  Because those other pages, while they are loaded
 from the same host and portnumber, could actually be from very different
 ''origins''.  One might be a cute game that you want to play that was
 passed along from a friend of a friend.  Another might be your personal
 finance database with all of your bank account numbers and billing
 information.  We would like it if the web browser would allow you to play
 the fun game in one window, and edit your personal finance document in
 another window, without giving the game the ability to read (and therefore
 to upload) or change your personal document.  Even though both pages were
 loaded from or from
 http://testgrid.allmydata.org:3567 or whatever.

 In the long run it might be possible for us to arrange to do this, such as
 by embedding a unique string, possibly the verifycap or possibly an
 incrementing string, into the domain name, or by taking advantage of some
 not-yet-created mechanism to tell web browsers "No, no, these two things
 are of different origins even though they are loaded from the same host
 and port.".

 In the short run, it might be wise to avoid looking at pages in tahoe if
 they might have malicious content on them, unless you first turn off
 JavaScript in your web browser.  Hopefully someone will help us understand
 exactly how dangerous this situation is, by posting a working exploit or
 some sort of proof that is is safe.

Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list