Re: [RequestAnimationFrame] Integer identifiers: let's not make the same mistake again. from David Bruant on 2011-06-28 (public-web-perf@w3.org from June 2011)

From: David Bruant <david.bruant@labri.fr>
Date: Tue, 28 Jun 2011 23:57:55 +0200
To: James Robinson <jamesr@google.com>
CC: public-web-perf@w3.org, "Mark S. Miller" <erights@google.com>
Message-ID: <4E0A4E63.9070902@labri.fr>

Le 28/06/2011 22:44, James Robinson a écrit :
> On Mon, Jun 13, 2011 at 6:17 AM, David Bruant <david.bruant@labri.fr 
> <mailto:david.bruant@labri.fr>> wrote:
>
>     Hi,
>
>     setTimeout, setInterval both return an integer as an identifier. In my
>     opinion, this is a mistake.
>     If a milicous script comes up, and loops over an integer range, it can
>     cancel intervals and timeouts without having been granted the right to
>     do so. This is a security issue.
>
>
> Hi David,
>
> I'm not sure I understand exactly what you mean here - script can only 
> cancel timers that it set. Could you expand a bit on what you mean by 
> "granted the right to do so"?
If you set a timeout, it would be preferable for you to be the only 
person (by "person", I mean, "your own scripts") allowed to clear the 
timeout. Otherwise, it means that any other script inserted in the page 
(like advertisment or a malicious script) can cancel the timeout that 
you set up.
In cases where you write some code that rely on the fact that if you 
setup a timeout it will be triggered, if some random script has the 
ability to cancel your timeouts, it can mess your internal logic up.

If the returned value of setTimeout is forgeable (integer, string...), 
then anyone have the right to cancel your timeouts (by definition of 
"forgeable"). If it is an unforegeable opaque identifier (like an object 
as I showed in the gist in my original message), your script is the only 
one able to cancel a timeout... Unless, you decide to "hand" the 
identifier to another script (by passing it as an argument of a function 
defined in a script you haven't written, for instance). This is the case 
where I said that you "grant the right to another script to cancel your 
timeout", because you decided to "hand" this identifier. The untrusted 
script can decide to call clearTimeout(opaqueIdentifier), but you wrote 
the code handing the identifier. You granted the right so you are the 
only one to blame for the security flaw (unlike when untrusted code can 
loop through an integer range).

> The reason for using integer identifiers is to remain close to 
> setTimeout/setInteval, but I think an opaque identifier would work 
> equally well.  I'm not sure what benefit it would give, however.
I hope I was clear in my explanations. Just tell me if i wasn't enough.

David

Received on Tuesday, 28 June 2011 21:58:37 UTC