- From: Jun <notifications@github.com>
- Date: Fri, 10 Feb 2023 10:36:04 -0800
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/FileAPI/issues/192@github.com>
***Up-to-date details and FAQ for this proposal is available at https://github.com/shhnjk/Safe-Blob-URL*** ## Proposal Expose a `crossOrigin` option to [BlobPropertyBag](https://w3c.github.io/FileAPI/#dfn-BlobPropertyBag) in the [Blob constructor](https://developer.mozilla.org/en-US/docs/Web/API/Blob/Blob) and a read-only `crossOrigin` property in [Blob instances](https://developer.mozilla.org/en-US/docs/Web/API/Blob#instance_properties). ``` // script on https://example.com const untrustedHTML = '<script>alert(document.domain)</script>'; const blob = new Blob([untrustedHTML], { type: 'text/html', crossOrigin: true }); if ('crossOrigin' in Blob.prototype && blob.crossOrigin) { const url = URL.createObjectURL(blob); console.log(url); // blob:https://[958c8e12-9f61-43a0-950a-56ecb19d3028]/958c8e12-9f61-43a0-950a-56ecb19d3028 } ``` A cross-origin Blob URL is special in a few ways. 1. It has a format of `blob:scheme://[UUID]/UUID`. 2. It has a unique non-opaque origin (e.g. `https://[b9b68b26-a98b-4ad6-b089-33d2afa96944]`). 3. It does *NOT* inherit CSP from the creator. 4. It is treated as cross-site to other URLs (except itself) when rendered as a document (e.g. in [Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation/)). ## Why do we need this? It aims to solve 2 problems. ### XSS through Blob URLs Blob URL is useful for loading locally available resources. However it also leads to XSS bugs. 1. [XSS on WhatsApp Web](https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/). 2. [XSS on Shopify](https://hackerone.com/reports/1276742). 3. [XSS on chat.mozilla.org](https://gccybermonks.com/posts/xss-mozilla/). The cross-origin Blob URL is designed in a way that these XSS won't happen (because a script will execute in a unique origin). ### A native alternative to sandbox domains Many Web apps require a place to host user contents (e.g. `usercontent.goog`, `dropboxusercontent.com`, etc) to safely render them. In order to do so securely (e.g. to avoid exploitable XSS, [cookie bomb](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26), and [Spectre](https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) attacks), a site needs to register a [sandbox domain](https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html), add it to the [public suffix list](https://publicsuffix.org/), and then host user contents in randomly generated subdomains. However this is not something that any site can afford due to engineering and maintenance cost. The cross-origin Blob URL provides a way to render user contents in a cross-site context without such setup. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/192 You are receiving this because you are subscribed to this thread. Message ID: <w3c/FileAPI/issues/192@github.com>
Received on Friday, 10 February 2023 18:36:18 UTC