Saturday, October 22, 2011

X-Script-Origin, we hardly knew ye

On Thursday, Robert Kieffer filed an interesting bug in both the WebKit and Mozilla bug trackers:
WebKit and Mozilla browsers redact the information passed to window.onerror for exceptions that occur in scripts that originate from external domains. Unfortunately this means that for large institutions (like us here at Facebook) that use CDNs to host static script resources, we are unable to collect useful information about errors that occur in production.
Why do browsers redact this information in the first place?  The answer is actually a combination of two factors:
  1. Although browsers generally prevent one origin from reading information from another origin, the script element, like the image element, is a bit of a loophole: an origin is allowed to execute a script from any other origin.  (This exception has wide-ranging implications on both security and commerce on the web.)
  2. The script element ignores the MIME type of resources it loads.  That means if a web page tries to load an HTML document or an image with the script element, the browser will happily request the resource and attempt to execute it as a script.
At first blush, these two facts would seem to imply a serious security vulnerability.  Certainly executing a script leaks a great deal of information about the script and ignoring the MIME type means a malicious web site can cause the browser to execute any resource, regardless of the sensitivity of the resource (e.g., an attacker can execute the HTML that represents your email inbox as if it were JavaScript).

Fortunately, we're able to snatch security from the jaws of vulnerability because of a happy coincidence: resources that contain sensitive information happen to fail to parse as valid JavaScript (at least usually).  For example, your email inbox probably consists of HTML that quickly throws a SyntaxError exception when executed as JavaScript.  (The consequences of expanding JavaScript to include HTML-like syntax is an exercise for the reader.)

Returning to our original question, we now understand that (in an attack scenario) sensitive information actually flows though the JavaScript virtual machine, where it generates an exception.  That exception is then processed by window.onerror!  If browsers did not redact the information they give to window.onerror, they would potentially leak sensitive information to malicious web sites.

How, then, can we address Robert's use case?  Certainly we would like web sites like Facebook to be able to diagnose errors in their scripts.  Robert suggests an "X-Script-Origin" HTTP header attached to the script that would indicate which origins are authorized to see exceptions generated by the script.  Although that would work, that solution seems overly specific to the problem at hand.

A more general solution is for the server hosting the script to inform the browser which origins are authorized to learn sensitive information contained in the script.  (Typically servers would authorize every origin because scripts are usually the same for every user).  We already have a general mechanism for servers to make such assertions: Cross-Origin Resource Sharing.  We can address Robert's use case by adding a crossorigin attribute to the script element that functions similarly to the crossorigin attribute on the image element.  Once the embedding origin is authorized to read the contents of the script, there's no longer any need to redact the exceptions delivered to window.onerror.

78 comments:

  1. Wouldn't the CDN be opting-in to receiving DELETE and PUT requests (and don't know what else) from FB for those images? Enabling CORS seems like a big hammer solution.

    Also, "snatch security from the jaws of vulnerability " is hilarious!

    ReplyDelete
    Replies
    1. Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have.firefly box

      Delete
  2. CORS is relatively fine-grained. I'd expect CDNs to just send the Access-Control-Allow-Origin: * header, which makes the resource publicly readable but doesn't opt in to any crazy stuff like DELETE or PUT methods.

    ReplyDelete
    Replies
    1. Hey, You are doing a very good job with this, like I would like you to share some IPL live Streaming details. So, share IPL live streaming details in your next post.

      I love to share my Indian railways website which has Live Train Running Status and Information tool along with PNR status. You can check Live Train Status with Ease.

      Delete
  3. I¡¦m no longer sure where you are getting your info, but great topic. I needs to spend a while studying much more or understanding more. Thanks for wonderful info I was in search of this information for my mission.

    ReplyDelete
    Replies
    1. This post a good one and I would love to share it if you like my 2016 rio Olympics streaming and NBA Scores Live Blog.

      Delete
  4. Hi,I am tina martin ,I am very impress your blog post. and thanks for share it.

    Hostgator Coupon .

    ReplyDelete
  5. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete

  6. Thanks for Nice and Informative Post. This article is really contains lot more information about This Topic. -
    Packers and Movers in Hyderabad
    Packers and Movers in Pune
    Packers and Movers in Mumbai

    ReplyDelete
  7. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
    Black Magic Specialist

    ReplyDelete
  8. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    Vashikaran

    ReplyDelete
  9. This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this.
    Startup investment in India

    ReplyDelete
  10. You have a very inspiring way of exploring and sharing thoughts. Really Motivating.
    Buy high pr backlinks

    ReplyDelete
  11. I like this a lot. Thank you for sharing. I'm always looking for upcycles like this. In the end, you don't know it was a shipping pallet to begin with!
    IPL 2016 Auction
    IPL 2016 Auction Live
    2016 IPL Auction

    ReplyDelete
  12. Hello sir,i just want to say that i almost read your most posts but this one is epic.Thanks for share this with us.
    Tidebuy Coupon Codes

    ReplyDelete
  13. Best packers and movers in Navi Mumbai, household shifting service in Navi Mumbai, home relocation in Navi Mumbai, car carriers service in Navi Mumbai, car transport in Navi Mumbai. packers and movers Navi Mumbai

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. How To Remove .micro file extension Ransomware
    http://uninstallmicrofileextension.jimdo.com/
    http://removemicrofileextension.snack.ws/
    http://uninstallmicrofileextension.tumblr.com/
    http://removemicrofileextension.blogspot.in/
    http://uninstallmicrofileextension.blog.com/
    http://www.removemicrofileextension.hol.es/
    http://removemicrofileextension.over-blog.com/
    http://removemicrofileextension.wikidot.com/

    ReplyDelete
  16. Thank you for such a well written article. It’s full of insightful information and entertaining descriptions. Your point of view is the best among many. whatsapp status in hindi

    ReplyDelete
  17. “I don’t even know how I ended up here, but I thought this post was good. I don’t

    know who you are but certainly you’re going to a famous blogger if you aren’t

    already. Cheers!”Wholesale Plus size leather corsets lingerie at great prices. The

    sexiest selection of leather lingerie on the web. Great selection of the highest

    quality black leather corsets at wholesale price.http://www.latexcorsets.com/leather-

    corsets-c-194.html

    ReplyDelete
  18. Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know juegos friv 2

    ReplyDelete
  19. This is a great web site. Good sparkling user interface and very informative blogs. I will be coming back in a bit, thanks for the great article. I have found it enormously useful.
    http://www.friv2planet.com/
    http://www.juegosfrivas.com/
    http://www.kizidaily.com/
    http://www.friv400game.com/

    ReplyDelete
  20. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!
    earn to die

    tank trouble
    Hi! I’ve been reading your blog for a while
    now and finally got the courage to go ahead and give youu a shout out from Austin Texas! Just wanted to tell you keep up the fantastic work!my weblog:
    happy wheels
    earn to die game
    tank trouble game
    earn to die hot

    ReplyDelete
  21. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well. Thanks for giving me the useful information. I think I need it!
    Happy Wheels , FNAF World , Five Nights At Freddy's

    ReplyDelete
  22. Good to know that such kind of posts are there to help ignorant and novice people.

    - Mortal Kombat XL
    - Atari Breakout
    - Dragon Ball Z Games

    ReplyDelete
  23. I could help you in getting the full info along with diagram with in few weeks. I'm doing the research on this from few months. I'm also taking the helping hand of. subway surfers

    ReplyDelete
  24. All the best blogs that is very useful for keeping me share the ideas
    of the future as well this is really what I was looking for, and I am
    very happy to come here. Thank you very much
    earn to die
    earn to die 2
    earn to die 3
    Hi! I’ve been reading your blog for a while now and finally got the
    earn to die 4
    courage to go ahead and give youu a shout out from
    earn to die 6
    Austin Texas! Just wanted to tell
    earn to die 5
    Hi! I’ve been reading your blog for a while now and finally got the
    happy wheels
    strike force heroes
    slitherio
    you keep up the fantastic work!my weblog
    age of war
    earn to die 5
    good game empire

    ReplyDelete
  25. This is a great article, that I really enjoyed reading. Thanks for sharing.

    - FNAF Sister Location
    - FNAF 5
    - Five Nights At Freddy's

    ReplyDelete
  26. I must appreciate the way you have expressed your feelings through your blog!

    - slither.io
    - wings.io
    - vanar.io
    - lazerdrive.io
    - diep.io

    ReplyDelete
  27. Thank you posting relative information and its now becoming easier to complete this assignment
    -------------------
    Signture: baixar facebook para celular - baixar whatsapp gratis - baixar mobogenie

    ReplyDelete

  28. The war between humans, orcs and elves continues. Lead your race through a series of epic battles, using your crossbow to fend off foes and sending out units to destroy castles. Researching and upgrading wisely will be crucial to your success!
    age of war 3 | slitherio | unfair mario 2 |
    The game controls are shown just under . Movement mechanisms primarily include acceleration and tilting controls.
    cubefield | tank trouble | happy wheels | earn to die 1 | earn to die 2

    ReplyDelete
  29. Great stuff. This is really a fascinating blog, lots of stuff that I can Get into. One thing I just want to say is that your Blog is so perfect!
    swords and souls game | strikeforce kitty 2 | swords and souls | strike force kitty 2

    ReplyDelete
  30. Let’s keep are safe place to play the very best free games for kids! Please click:
    slither.io | wings.io | happy wheels | abcya | fnaf 4 | games for kids | racing games to play for free!

    ReplyDelete
  31. I must appreciate the way you have expressed your feelingsthrough your blog!. Click here to play.
    vertix.io | dog games | fighting games | mickey mouse games | Subway Surfers

    ReplyDelete
  32. I love how you still write and share about your day and experiences! You feel like such a real, nice, and humble person because of this!
    dark souls iii emoji keyboard

    ReplyDelete
  33. Very nice and interesting post. Beautifully structured and very close to facts. I found myself lucky to go through it. Hope to have more post in future like this. Do you want to check Rio 2016 Olympic? Vist followings:
    Olympics streaming 2016
    Rio Olympic 2016 Opening Ceremony
    Rio 2016 olympics Tickets
    Rio 2016 Olympics Rowing Schedule

    ReplyDelete
  34. There are some other well-known sites that allow you to download online games by signing up for free. yandere sim

    ReplyDelete
  35. Just create an account and download indefinite number of full version games effortlessly. showbox for pc

    ReplyDelete
  36. One more benefit of possessing your own account is to become part of their gaming community on-line. clash of clans hack

    ReplyDelete
  37. Hotmail is an email account of Microsoft Corporation. Like Google's Gmail, it is full of features usually xuyen.Neu of an email you want to register an account please follow these basic steps:
    Hotmail login

    Hotmail review

    Sign in to hotmail

    Login to hotmail

    Recover hotmail password

    Tank Trouble is a very interesting flash game about tanks, about war and about destruction
    TANK TROUBLE | TANK TROUBLE 2

    One Penguin Takes it personally when he is surfing the web and stumbles upon a web site telling him that he cant fly, after that he sets his mind to research and practice flying until he can prove the world that he can..
    Slitherio | LEARN TO FLY | LEARN TO FLY 2

    Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes 4

    Strike Force Heroes

    ReplyDelete
  38. I introduce with everybody two applications are mobogenie and facebook. Mobogenie - An ideal tool to manage the phone from the desktop. And baixar Facebook is the largest social network in the world which users are able to connect and talk with friends, can share photos, join groups, following pages of interest and much more!

    ReplyDelete