Re: [w3c/FileAPI] "Null"ing out the Origin of a BLOB (#74) from xtofian on 2017-06-28 (public-webapps-github@w3.org from June 2017)

From: xtofian <notifications@github.com>
Date: Wed, 28 Jun 2017 20:49:04 +0000 (UTC)
To: w3c/FileAPI <FileAPI@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/FileAPI/issues/74/311785512@github.com>

To add a bit of background regarding security concerns:  With the specs as currently written, even just calling URL.createObjectURL(b) on a blob consisting of attacker-controlled content (i.e. making said blob URL-addressable) is potentially/theoretically risky: The Blob URL essentially [consists of a UUID](https://w3c.github.io/FileAPI/#DefinitionOfScheme), and the spec refers to RFC 4122 for UUIDs, whose [security section](https://tools.ietf.org/html/rfc4122#section-6) in turn explicitly states "Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example."   This means that as far as the specs are concerned, we have to assume that it's possible for a malicious page in a different origin, in the same browser, to guess the URL of a blob once createObjectURL has been called. It could then for instance load an iframe or instantiate a plugin from the blob's content; this would give the attacker script execution in the blob's (and hence its creating app's) origin.

This is probably not a particularly feasible attack in practice (there's likelyi enough entropy in GUIDs to make them too hard to guess in this scenario); but it seems unsatisfactory to rely on that.

**

@annevk --  <img>.objectSrc = blob would seem to address this concern too, since then there's never a URL that another page could guess and reference. 

One use case for Blob URLs is to implement download/save of files whose content a browser app has as a JS value (e.g. received from an RPC, or cached in local storage).  The app would create a Blob and a URL for it, and then instantiate a <a href="{{blobUrl}}" download> element.

Would objectSrc work with HTMLAnchorElement too (i.e. aEl.download = true; aEl.objectSrc = blob;) ? Presumably, right-click+open-in-new-tab should not work on such a link, since there's no URL/href.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/FileAPI/issues/74#issuecomment-311785512

Received on Wednesday, 28 June 2017 20:49:41 UTC