[tahoe-dev] How to use Caja to solve the same-origin policy hazard (hosting both webapps and untrusted content in Tahoe)
Frederik Braun
Frederik.Braun+tahoe at ruhr-uni-bochum.de
Sat Jul 30 15:34:22 UTC 2011
On 30.07.2011 02:39, Kevin Reid wrote:
> The usual previous idea for same-origin policy hazards in Tahoe has
> been wildcard domains to create an infinite set of origins. However,
> this is likely hard to set up for the average user.
>
> In this scheme, each Tahoe gateway needs exactly two distinct origins
> (i.e. two domains or two port numbers).
>
> Origin #1 serves files from Tahoe only as rewritten by Caja, as well
> as all parts of the WUI except for files (i.e. including directory
> views). Origin #1 is therefore safe for viewing potentially malicious
> content in a web browser, and also for viewing and interacting with
> web-applications hosted in the grid (e.g. Zooko's TiddlyWiki blog).
>
> (To support this, Caja needs enhancement to support viewing a whole
> page through the rewriter, without any explicit containing page
> setting up a virtual iframe. This should be done anyway, and is not a
> hard engineering problem.)
>
> Origin #2 is the classic Tahoe WAPI server which serves files from
> the grid, which should now never be accessed by a web browser (unless
> by script XHR, usually from within origin #1). Origin #2 is used by
> all clients which are doing plain file-transfer and want the original
> unmodified bytes; origin #2 can set 'Content-Disposition: attachment'
> to discourage browsers from executing served content. (Note that one
> must not provide a URL query parameter to change the disposition, as
> that would support maliciously-constructed links.)
>
> Given the two origins, the only way you are in danger is if you have
> two “raw” (from origin #2) documents open in your browser at once
> (one which is malicious, and one which contains secrets), but given
> Content-Disposition, a typical browser will not open (rather than
> downloading) *either*.
>
> This scheme also has a nice division to it: Origin #1 serves only
> content generated by Tahoe-or-Caja; Origin #2 serves only arbitrary
> uploaded content.
I'm wondering if two origins wouldn't suffice as a /first/ step towards
improved security. Assuming that one port only serves tahoe's WUI and
links to files hosted on the second port (which only serves the stored
files), we would have two separate origins. That would already improve
security in terms of untrusted JavaScript.
I do not dare to comment any further regarding the Caja part of your
suggestion, as I have not fully grasped it ;)
>
>
> Any comments? Security issues? Do you think this is worth doing?
>
>
> [Disclosure: I am currently being paid to work on Caja.]
>
More information about the tahoe-dev
mailing list