search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.99k stars 2.35k forks source link

Secure access window origin on iOS #42539

Open StephenHeaps opened 4 days ago

StephenHeaps commented 4 days ago

Description

window.origin is marked readonly, but is replaceable. We should store a secured copy of the window.origin so a site can't change the window.origin to circumvent out scripts.

Follow up to https://github.com/brave/brave-core/pull/26622#discussion_r1857499931.

Steps to Reproduce

  1. Add stephenheaps.github.io/$first-party to the custom filters
  2. Open https://stephenheaps.github.io/local-frames/test.html
  3. Open Safari debugger
  4. Observe in console that XHRs to https://stephenheaps.github.io/local-frames/ad.txt were blocked. At this point https://stephenheaps.github.io/local-frames/ad.txt is cached, so we need to use a different URL
  5. Switch context to local-iframe in the bottom right corner
  6. Then in console: 
window.origin = "https://brave.com"
fetch("https://stephenheaps.github.io/local-frames/ad2.txt")
  1. Observer that fetch wasn't blocked: image
pes10k commented 4 days ago

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue.

I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

StephenHeaps commented 4 days ago

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue.

I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

@pes10k I think it'd be good if you have any tools to run static analysis for this if we want to include more than just window.origin.

stoletheminerals commented 4 days ago

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue. I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

yeah, @Brandon-T fixed a lot of similar issues on iOS already, we now save original copies of such objects and access the frozen copies. Also we only care if by modifying a JS object the web page can somehow affect privacy/security of the browser/user. Most of the times though these edits only allow the page to attack itself, but there is not much we can do about.

pes10k commented 4 days ago

@pes10k I think it'd be good if you have any tools to run static analysis for this if we want to include more than just window.origin.

@thypon, i think you had a tool you were using to detect when scripts were using posionable-prototypes?