[tahoe-dev] How to use Caja to solve the same-origin policy hazard (hosting both webapps and untrusted content in Tahoe)

Kevin Reid kpreid at switchb.org
Sat Jul 30 00:39:37 UTC 2011 

The usual previous idea for same-origin policy hazards in Tahoe has been wildcard domains to create an infinite set of origins. However, this is likely hard to set up for the average user.

In this scheme, each Tahoe gateway needs exactly two distinct origins (i.e. two domains or two port numbers).

Origin #1 serves files from Tahoe only as rewritten by Caja, as well as all parts of the WUI except for files (i.e. including directory views). Origin #1 is therefore safe for viewing potentially malicious content in a web browser, and also for viewing and interacting with web-applications hosted in the grid (e.g. Zooko's TiddlyWiki blog).

  (To support this, Caja needs enhancement to support viewing a whole
  page through the rewriter, without any explicit containing page
  setting up a virtual iframe. This should be done anyway, and is not
  a hard engineering problem.)

Origin #2 is the classic Tahoe WAPI server which serves files from the grid, which should now never be accessed by a web browser (unless by script XHR, usually from within origin #1). Origin #2 is used by all clients which are doing plain file-transfer and want the original unmodified bytes; origin #2 can set 'Content-Disposition: attachment' to discourage browsers from executing served content. (Note that one must not provide a URL query parameter to change the disposition, as that would support maliciously-constructed links.)

Given the two origins, the only way you are in danger is if you have two “raw” (from origin #2) documents open in your browser at once (one which is malicious, and one which contains secrets), but given Content-Disposition, a typical browser will not open (rather than downloading) *either*.

This scheme also has a nice division to it: Origin #1 serves only content generated by Tahoe-or-Caja; Origin #2 serves only arbitrary uploaded content.


Any comments? Security issues? Do you think this is worth doing?


[Disclosure: I am currently being paid to work on Caja.]

-- 
Kevin Reid                                  <http://switchb.org/kpreid/>

More information about the tahoe-dev mailing list