[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
tahoe-lafs
trac at allmydata.org
Thu Oct 29 23:09:51 UTC 2009
#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
---------------------------+------------------------------------------------
Reporter: zooko | Type: defect
Status: new | Priority: critical
Milestone: undecided | Component: code-frontend-web
Version: 1.3.0 | Keywords: newcaps security
Launchpad_bug: |
---------------------------+------------------------------------------------
Comment(by davidsarah):
Replying to [comment:1 swillden]:
> Another option is to use cookies. A cookie can also be made specific to
a host/domain but also to a path. As I understand it (haven't tested),
Javascript loaded from path A should not have access to cookies set
specific to path B. If Tahoe were to set per-path cookies on first access
to a path, then refuse later requests that don't include the right cookie,
then Javascript from path B would not be able to successfully load URLs on
path A, because it wouldn't have the cookie.
> There are numerous downsides to the cookie approach ...
Yes. The following paper (which is essential reading for this ticket)
explains why this can't work from a security point of view:
* Beware of Finer-Grained Origins
* Collin Jackson and Adam Barth
* In Web 2.0 Security and Privacy. (W2SP 2008)
* http://crypto.stanford.edu/websec/origins/fgo.pdf
* "Cookie Paths. One classic example of a sub-origin privilege is the
ability to read cookies with "path" attributes. In order to read such a
cookie, the path of the document's URL must extend the path of the cookie.
However, the ability to read these cookies leaks to all documents in the
origin because a same-origin document can inject script into a document
with the appropriate path (even a 404 "not found" document) and read the
cookies. This "vulnerability" has been known for a number of years ...
This vulnerability was "fixed" by declaring the path attribute to be a
convenience feature rather than a security feature."
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615#comment:6>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list