https warning due to embedded http content

[jas4711]

I get security warnings from my browser when visiting the News webapp. The cause is that some of my feeds embed images that are loaded over http, and displayed in the feed. One solution might be to download these images and cache them locally and serve them from the ownCloud instance.

Is it possible to embed javascript too? If the ownCloud News webapp load a RSS feed over http and that can load javascript, it seems that could be an attack vector to take over the ownCloud instance via the users' browser. One solution would be to santize the RSS feed (remove all javascript calls?) and the data that is displayed to the user.

[BernhardPosselt]

Everything from a feed that is rendered without escaping (feed body/content) is sanitized twice, once through picoFeed and once through HTMLPurifier based on a whitelist approach.

Active mixed content is blocked completely, only iframes are allowed based on a whitelist in both picoFeed and HTMLPurifier.

What you mean is mixed passive content. This concerns images, audio and video only, see https://developer.mozilla.org/de/docs/Sicherheit/MixedContent#Passive_content_list

The attack vector here is that an attacker can perform a MITM attack and serve you different images or videos which is not a real concern from my POV.

The solution for this issue is that feed providers migrate to HTTPS for everything. Downloading and caching images like you mentioned in your post is not solving the root of the issue but only silences the symptoms. In fact it creates even worse security issues since you are protected from several things if its served from a different domain. For instance someone could MITM you an SVG which contains JavaScript (yep SVG allows you to add JS!) which would be able to read localstorage or cookies from your ownCloud install because it runs on the same domain.

Switching an HTTPS proxy in between also does not solve the issue since you can just MITM the proxy.

I hope this answers your concerns :)

[BernhardPosselt]

Here's a list of all white listed elements and attributes in picoFeed btw:

• https://github.com/fguillot/picoFeed/blob/master/lib/PicoFeed/Filter/Tag.php#L38
• https://github.com/fguillot/picoFeed/blob/master/lib/PicoFeed/Filter/Attribute.php#L40

[jas4711]

Thank you for explanation -- I feel more comfortable reading news through the webapp now.

I agree caching isn't a good solution to the MITM-issue. It would improve privacy though -- the external site won't be able to see WHEN I read their blog posts, and cannot track from where I do that. Still, being able to read localstorage/cookies is probably a more serious problem. Perhaps SVGs with JavaScript in them should be blocked too? Shouldn't they be considered active content? Caching truly passive content is hopefully harmless.

/Simon

[jas4711]

Re the whitelist: I guess this is applied recursively? I'm thinking of the iframe.

[BernhardPosselt]

IFrame content is loaded from an external site, so you can't sanitize it. However an IFrame is sandboxed, so it does not have access to anything outside of it. As for privacy: you can route the feed through a different server and replace all the links but this always requires additional setup, and opens up other issues like serving it from the same domain (XSS) or probably file inclusion (php is hard to get right ;))

That being said picoFeed allows you to set an image proxy url https://github.com/fguillot/picoFeed/blob/master/docs/config.markdown#define-a-image-proxy-url but because of the XSS issues we chose to not implement this kind of behavior. Security is a superset of privacy and therefore more important to get done correctly.

As for SVGs: it's not really active content since it won't be executed if included via tag, the JavaScript is only executed when you view the image without everything else, e.g.: yourdomain.com/the.svg

[cosenal]

btw, dup of #885