I've been thinking recently about javascript: URIs, and I think we need to make
a fundamental change in the way we handle them.
Right now, the way javascript: URIs work is the following:
1) Most javascript: URIs don't get a channel owner principal.
2) javascript: URIs loaded in a docshell (main window or
subframe) get a channel owner principal.
3) javascript: URIs without a channel owner principal
are executed in a sandbox.
4) javascript: URIs with a principal are executed in a
sandbox if the principal doesn't match that of the page
they're being executed against. Otherwise they're executed
in the page's script context.
The problem is that javascript: is not the only thing that cares about the owner
principal, and right now we're having to pass a null principal in various places
because we don't want scripts there to execute against the page's context. The
reason we don't want that is that sites don't do the best fitlering of
user-supplied content, and we don't want a CSS "background:
url('javascript:...');" to touch the page's data on myspace or some such (e.g.
we don't want it to be able to get cookies).
I propose that we separate out the issue of user-supplied content from the issue
of security by making javascript: URIs not execute by default. For them to
execute, in this model, someone needs to make a note on the javascript: URI that
it should execute. Docshell could do this for URIs loaded in docshell, for
example. Then we can pass in an owner in a lot more places (image loads, URI
loads from CSS, etc).
This way, we can effectively whitelist as allowed to execute only those cases
which are well-known to the web authoring community as needing to be filtered.
I suspect that these are basically just the docshell cases, especially with IE7
apparently either not executing javascript: in <img> srcs or executing it in a
sandbox (kinda hard to tell which from over here).
So the proposed model I have is the following:
1) All URI loads, ideally, have the right owner principal set.
2) javascript: URIs that are not explicitly marked otherwise
do not execute.
3) javascript: URIs which are marked to execute but do not have a
channel owner principal do not execute (and assert, because
this should really not happen).
4) javascript: URIs with a principal are executed in a sandbox if the
principal doesn't match that of the page they're being executed against.
Otherwise they're executed in the page's script context.
We may want to put the flag on the channel instead of the URI, or on both,
depending on what callers have. That's an implementation detail, as far as this
proposal is concerned.
Thoughts?
-Boris
P.S. I realize we'd need to wontfix bug 355365 if we do this. Frankly, I'm
cool with that. That's what data: URIs are for; if our <img> support actually
obeyed content-type headers the pnglets thing wouldn't work anyway.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
