hitrust / wave-protocol

Automatically exported from code.google.com/p/wave-protocol
0 stars 0 forks source link

Security: XSSI Protection #134

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Currently we have a fetch servelet which allows the user to fetch a snapshot of 
the wavelet. We should either remove it or add XSSI protection, by purposely 
prefixing a few characters to the head of the produced json.

Original issue reported on code.google.com by zdw...@google.com on 1 Nov 2010 at 1:04

GoogleCodeExporter commented 9 years ago
More detail on the vulnerability.  Evil.org can host a page with:

<script>
  // Redefine Object and Array constructors to send data to evil.org
</script>
<script src='...wave fetch url...'>
</script>

Recommended preventions (from http://google-gruyere.appspot.com/part4):
"
To fix, there are several changes you can make. Any one of these changes will 
prevent currently possible attacks, but if you add several layers of protection 
("defense in depth") you protect against the possibility that you get one of 
the protections wrong and also against future browser vulnerabilities.

First, use an XSRF token as discussed earlier to make sure that JSON results 
containing confidential data are only returned to your own pages. Second, your 
JSON response pages should only support POST requests, which prevents the 
script from being loaded via a script tag. Third, you should make sure that the 
script is not executable. The standard way of doing this is to append some 
non-executable prefix to it, like ])}while(1);</x>. A script running in the 
same domain can read the contents of the response and strip out the prefix, but 
scripts running in other domains can't.
"

Original comment by hearn...@google.com on 1 Nov 2010 at 5:13