- From: hfhchan <notifications@github.com>
- Date: Wed, 15 Mar 2017 23:40:33 -0700
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 16 March 2017 06:41:08 UTC
Is it possible to "null" out the origin of a blob? Recently, Check Point exposed a bug in WhatsApp Web and Telegram Web which were not validating the MIME types of documents properly and directly opening them as a blob, leading to an XSS attack (http://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/). Besides checking the MIME types, using iframe sandbox would have mitigated this problem. Using iframe sandbox would be preferred over MIME type checking in some situations, e.g. allowing SVGs but disabling foreign content. However, if the user right-clicked on the iframe and chose "Open in New Tab", the blob content would have been executed directly under the web.whatsapp.com origin. Therefore, is it possible to "null" out the origin for blobs (setting them to an opaque origin), such that they cannot access anything from the web.whatsapp.com origin, sandboxed or not? Then effectively, the blob URI act like a data URI. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/74
Received on Thursday, 16 March 2017 06:41:08 UTC