To be clear, this is not a security issue in itself, rather a suggested precaution.
KBFS offers hosting and custom domains for users. There are some risks with giving subdomains for users. Since they are all subdomains of a main domain that bears valuable session cookies, there are avenues for cross origin leaks assuming another bug or some cooperation.
While the Same Origin Policy (SOP) will prevent most serious web security problems around hosting user content under your subdomain (because they get their own domain), some legacy technologies like Cookies are not bound to the SOP but operate on hostnames or eTLD+1. Furthermore setting document.domain = 'keybase.pub' on the subdomain and a page of the main domain would give complete DOM access in both directions, effectively disabling the Same Origin Policy.
I would suggest disallowing these things by registering the domain keybase.pub on the public suffix list. This way, browsers will consider it a suffix just like .co.uk or .github.io.
The public suffix describes therefore the effective top-level domain (eTLD). More at https://publicsuffix.org/, Adding your domain may happen following their guidelines.
strib
commented
7 years ago
To be clear, this is not a security issue in itself, rather a suggested precaution.
KBFS offers hosting and custom domains for users. There are some risks with giving subdomains for users. Since they are all subdomains of a main domain that bears valuable session cookies, there are avenues for cross origin leaks assuming another bug or some cooperation. While the Same Origin Policy (SOP) will prevent most serious web security problems around hosting user content under your subdomain (because they get their own domain), some legacy technologies like Cookies are not bound to the SOP but operate on hostnames or eTLD+1. Furthermore setting
document.domain = 'keybase.pub'on the subdomain and a page of the main domain would give complete DOM access in both directions, effectively disabling the Same Origin Policy.I would suggest disallowing these things by registering the domain
keybase.pubon the public suffix list. This way, browsers will consider it a suffix just like.co.ukor.github.io. The public suffix describes therefore the effective top-level domain (eTLD). More at https://publicsuffix.org/, Adding your domain may happen following their guidelines.