User Generated Content Security
April 11th, 2007
Historically, browsers have used the same-origin policy to determine whether one webpage can access assets located on another webpage. It’s been pretty effective, but with the growth of user generated content, the same-origin policy is beginning to look a bit dated.
The Same Origin Policy
The same origin policy determines whether one webpage can access the assets (cookies, forms, and XmlHttpRequest privileges) on another webpage.
A page on example.com has the origin of example.com and can access cookies/forms/etc. on example.com, but not on example2.com.
User Generated Content
The same origin policy assumes that every page on example.com is "owned" by the same person or organization, so that any page on example.com can access the assets on another page on example.com. This assumption is incorrect for sites which allow third-party user generated content.
One example is webhosting sites such as Geocities. Users are given their own directories on one domain to host their websites. The same-origin policy allows one users website to access assets from another users websites. Normally this isn’t much of a worry anyway, it’s not like there is actually anything worthwhile on Geocities.
"Web 2.0"
These days social networking sites like Myspace allow users to add all kinds of HTML onto their website. You can include Youtube videos, quizzes, silly flash animations and all kind of weird things.
Because all of these pages are located on myspace.com, the browser same-origin policy automatically gives any page on myspace.com access to the assets of every other page on myspace.com. Every page on myspace.com has access to forms, cookies, and the whole lot.
Obviously this is problematic. To stop pages from hijacking each another, Myspace employs a HTML/XSS filter. This removes all the potentially harmful code from your page. My personal favourite for PHP is SafeHTML.
But there are probably dozens of well documented instances of people finding holes in the filter and managing to, well, hijack pages or install harmful content. We’ve got Samy, We’ve got Raul, Myspace viruses.
Sandboxing Content
So the problem with the same-origin policy is that it makes the assumption that any page on a domain is authorized and owned by the same person or organization. With the advent of "web 2.0" and user-generated content, this is no longer the case.
Brendan Eich, the inventor or Javascript and currently CTO at Mozilla, has proposed a sandboxing tag for HTML, designed specifically for user-generated content. Slide 20 proposes a standardized method of browser sanitation of untrusted content which looks something like:
<jail hash=”8efb3881814...”>untrusted web content here</jail hash=”8efb3881814...”>
The hash prevents untrusted users from closing the jail tag. The browser is supposed to treat the content inside the tag as content from a different origin, disabling any possibility of XSS/JS attacks.
I do see an issue in that older browsers will just ignore the <jail> tag, so of course, it’s still going to be possible to launch attacks in browsers which do not support jail. However, it’s an extra layer of protection for the users which use a modern browser. Older users will be just as secure as they’ve ever been.
- Internet , Web 2.0 , Web Development
- Comments(0)
Digg
StumbleUpon