-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UP-01-003 Worker-based Isolation does not prevent XHR & Sockets etc. #365
Comments
One issue with frames that makes us hesitant to use them, even with the sandbox attribute to limit communication is that the frame code often will run in the same event loop as the outer page, allowing for denial of service issues. Workers will definitely run in a separate event loop, which seems preferable. |
The attack surface for a sandbox Iframe is also significantly larger. There you have a full blown DOM, sometimes even visible to the user ( While we didn't manage to find a browser allowing to use a DOM inside a worker (e.g. by using XHR & |
Freedom issue for this is here: freedomjs/freedom#110 |
More detailed updates in freedom issue, but the short of it is this is the tentative whitelist: And there's a few commits that mask things not on the whitelist from the global scope of webworkers in freedom. |
Can we clarify when we expect these changes to be in FreedomJS? We don't On Fri Oct 24 2014 at 12:29:09 PM soycode [email protected] wrote:
|
I have less information/opinion about timeline, but re: modules that need access I think it'd be best to wrap it in an interface where the permissions can be specified in the manifest. EDIT - which is basically the "move XHRs to a core provider", so yeah, if the decision is "not this quarter" then I can sit on this for the time being. Having the whitelist spreadsheet out there is still a good thing as people can peruse and comment as desired. |
I'd suggest we focus on P1 issues this quarter, then we can all be excited about contributing stuff to the release. 🎆 But, yes, moving XHR to core provider is the right thing for freedom 0.7 / uproxy 2 |
Ah, and yes, whitelist spreadsheet is really useful! |
I think it's valuable to develop a definitive API of what is available in a module as part of the design document explaining the security properties of freedom.js so that we can go to outside security auditors and be able to say: this is what the freedom.js library claims to do for the system. The response we've gotten so far from 2 different external parties was that they weren't comfortable auditing freedom because there was no clear sense of what properties they were trying to verify that it actually maintained. It looks like the only thing that is pending removal that's being used at the moment is XHRs, which are used only in freedom-social-facebook. Presumably the fix-up work there would be part of the removal task, since it is so localized. |
Note: This issue technically affects FreeDOM. Please move the issue if necessary.
Freedom.js uses Web workers to isolate freedom contexts from each other and prevent them from directly accessing the DOM, which seems to be intended as a security measure for isolating different modules. However, web workers are not designed to provide secure isolation of code; they are designed for running heavyweight tasks in the background, with no direct access to the DOM or the window resulting as a side effect.
Web workers can e.g. still use
XMLHttpRequest
to perform HTTP requests to their origin, which is the same as the origin of the website that started the worker, they can load scripts without muted errors, they can useIndexedDB
and so on. In a typical web application, the ability to perform XHRs in the name of the application’s domain effectively gives the worker full access to the application. Similarly, in a chrome application, the worker is not able to use the chrome.* APIs, but it can still use XMLHttpRequest to talk to all origins that are whitelisted in the application manifest.This issue could be mitigated by erasing all potentially harmful objects in the global scope of the worker, but that solution seems somewhat brittle. We recommend switching to frame-based isolation with sandboxing instead as frames are designed for security. The following list of objects should be considered for deactivation:
Worker
WebSocket
XMLHttpRequest
XMLHttpRequestUpload
importScripts
The code to deactivate the object should make use of ES5’s
Object.defineProperty()
/Object.defineProperties()
. This is because of the browser specific behavior of language features such as delete. While simply deleting an object inside a worker suffices in Firefox, on Chrome and related browsers it has no effect. Our tests found the following code to be most efficient:The text was updated successfully, but these errors were encountered: