Saturday, October 15, 2011

Local URIs are more equal than others (Part 1)

On Wednesday, Cedric Sodhi asked the WebKit development mailing list why WebKit restricts access to local URIs.  This post describes one of the reasons why local URIs are more equal than other URIs.  In a future post, we'll revisit this issue when we discuss how local URIs (e.g., file:///Users/abarth/tax2010.pdf) don't really fit cleanly into the web security model.

Although the web platform largely isolates different origins from each other, there are a number of "leaks" whereby one origin can extract information from another origin.  For example, browsers let one origin embed images from another origin, leaking information such as the height and width of the images across origins.  These leaks are often at the core of security vulnerabilities in the platform.

These same leak exists, of course, between local origins (e.g., those with file URIs) and non-local origins (e.g., those with http or https URIs).  What kind of information could a web site extract from your local system using this leak?

On my laptop, I have Skype installed, which means that, on my laptop, the URI below resolves to a PNG image with a particular height and width:
file:///Applications/Skype.app/Contents/Resources/SmallBlackDot.png
If I visit a web site, if the browser doesn't address this leak, the web site could determine whether I have Skype installed by attempting to load that URI as an image.  On my laptop, the image element would have a certain well-known height and width, but on a laptop without Skype installed, the browser would fire the error event.

Returning to Cedric's question, why do browser vendors restrict access to local URIs but not to non-local URIs if both have the same information leak?  I would prefer to close this leak in both cases, but many web sites embed cross-origin images, e.g. from content delivery networks.  If we were adding the <img> tag today, we would probably require servers opt in to cross-origin embedding using the Cross-Origin Resource Sharing protocol.

Fortunately, very few web sites include images (or other resources) from local URIs (especially after we removed the full path from <input type="file">, but that's a story for another time).  That means browsers can block all loads of local resources by non-local origins without making users sad, preventing web sites from snooping on your local file system.

20 comments:

  1. " If we were adding the 'img' tag today, we would probably require servers opt in to cross-origin embedding using [the CORS protocol]." Is there an easy way to use CORS for such tasks without inventing a JS DSL? Such a perspective suggests CORS isn't integrated into basic APIs, making productive programming unsecure-by-default even with the fix. I hadn't followed the API support for CORS, so I'm surprised!

    ReplyDelete
  2. Leo, I'm not sure I understand your question. The browser needs to help the web site make a CORS request when loading images. For example, there's no way for a web site to attach the Origin header to a request without help from the browser because we want the Origin header to accurately reflect the origin of the requester.

    As to the broader thrust of your question, the default behavior for loading images very likely to remain unchanged (i.e., insecure) because changing the default would likely break every web site.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi,
    I read your Great Article. There have great news for every visitor. I like your blog and analysis about it. Thanks for your Posting.
    Enjoy Entertainer Please see the link- radio streaming hosting.

    ReplyDelete
  5. Hello,I am very impress after read your great article.
    greengeeks Coupons

    ReplyDelete
  6. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete
  7. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete
  8. Pune Escort service - If you are searching for a friendly and beautiful girl to spend some time with do not look farther.
    Kolkata Escorts - is committed to providing excellent service oriented towards customer satisfaction.
    Pune Escorts Agency - Our popularity is a product of our honesty, every picture on this website is genuine so we can guarantee
    Pune EscortsThose kind of girls are basically known as high profile escorts in Pune and they would be very much happy from their profession because they would love to change their life with all that glitter and love.
    Chennai Escorts Agency - We are among the best chennai escorts serving my elite clientele in and around the city of chennai. The city of Pune is a vast industrial hub and is visited by a large number of people with various purposes in hand,
    Kolkata Escorts Agency - you will going to find out many girls who became a Escorts in kolkata just for the sake of money.
    Chennai Escorts - Independent Chennai escorts are known for their credibility and reliability.

    ReplyDelete
  9. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site.
    vashikaran mantra in Hindi

    ReplyDelete
  10. I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful.
    Black Magic Specialist in Noida

    ReplyDelete
  11. Jaipur Escorts | Udaipur Escorts | Jodhpure Escorts | Jaipur Escorts |

    http://top10jaipurmodels.in | http://udaipurescorts.org.in |

    http://jodhpurescortservice.in | http://bestjaipurescorts.in

    ReplyDelete
  12. This is great do you have a catologue if so I would love one to share with friends and family.
    Vivo IPL 2016 Auction
    IPL 2016 Teams Auction
    IPL 9 Auction

    ReplyDelete