[w3c/FileAPI] Proposal: Add a crossOrigin option to Blob (Issue #192) from Jun on 2023-02-10 (public-webapps-github@w3.org from February 2023)

From: Jun <notifications@github.com>
Date: Fri, 10 Feb 2023 10:36:04 -0800
To: w3c/FileAPI <FileAPI@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/FileAPI/issues/192@github.com>

***Up-to-date details and FAQ for this proposal is available at https://github.com/shhnjk/Safe-Blob-URL***

## Proposal

Expose a `crossOrigin` option to [BlobPropertyBag](https://w3c.github.io/FileAPI/#dfn-BlobPropertyBag) in the [Blob constructor](https://developer.mozilla.org/en-US/docs/Web/API/Blob/Blob) and a read-only `crossOrigin` property in [Blob instances](https://developer.mozilla.org/en-US/docs/Web/API/Blob#instance_properties).

```
// script on https://example.com
const untrustedHTML = '<script>alert(document.domain)</script>';
const blob = new Blob([untrustedHTML], {
                 type: 'text/html',
                 crossOrigin: true
             });
if ('crossOrigin' in Blob.prototype && blob.crossOrigin) {
  const url = URL.createObjectURL(blob);
  console.log(url); // blob:https://[958c8e12-9f61-43a0-950a-56ecb19d3028]/958c8e12-9f61-43a0-950a-56ecb19d3028
}
```

A cross-origin Blob URL is special in a few ways.
1. It has a format of `blob:scheme://[UUID]/UUID`.
2. It has a unique non-opaque origin (e.g. `https://[b9b68b26-a98b-4ad6-b089-33d2afa96944]`).
3. It does *NOT* inherit CSP from the creator.
4. It is treated as cross-site to other URLs (except itself) when rendered as a document (e.g. in [Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation/)).

## Why do we need this?

It aims to solve 2 problems.

### XSS through Blob URLs

Blob URL is useful for loading locally available resources. However it also leads to XSS bugs.

1. [XSS on WhatsApp Web](https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/).
2. [XSS on Shopify](https://hackerone.com/reports/1276742).
3. [XSS on chat.mozilla.org](https://gccybermonks.com/posts/xss-mozilla/).

The cross-origin Blob URL is designed in a way that these XSS won't happen (because a script will execute in a unique origin).

### A native alternative to sandbox domains

Many Web apps require a place to host user contents (e.g. `usercontent.goog`, `dropboxusercontent.com`, etc) to safely render them. In order to do so securely (e.g. to avoid exploitable XSS, [cookie bomb](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26), and [Spectre](https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) attacks), a site needs to register a [sandbox domain](https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html), add it to the [public suffix list](https://publicsuffix.org/), and then host user contents in randomly generated subdomains. However this is not something that any site can afford due to engineering and maintenance cost.

The cross-origin Blob URL provides a way to render user contents in a cross-site context without such setup.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/FileAPI/issues/192
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/FileAPI/issues/192@github.com>

Received on Friday, 10 February 2023 18:36:18 UTC