Re: Updates to File API from Mark Seaborn on 2010-06-14 (public-webapps@w3.org from April to June 2010)

From: Mark Seaborn <mseaborn@chromium.org>
Date: Mon, 14 Jun 2010 11:35:48 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>, public-device-apis <public-device-apis@w3.org>
Message-ID: <AANLkTinS5LW4fVSNQMomxzSkatjh4eFSnOSH9nVMxH-i@mail.gmail.com>

On Mon, Jun 14, 2010 at 12:40 AM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Sun, Jun 13, 2010 at 10:46 PM, Mark Seaborn <mseaborn@chromium.org>
> wrote:
> > Why do the "filedata:" URLs need to apply a same-origin check?  It seems
> > like this would unnecessarily reduce composability.  In practice, the
> URLs
> > returned by the File API would be unguessable anyway.  Why not use
> > unguessability of these tokens as the security mechanism?  So if a web
> app
> > wants to share the file with other, co-operating entities (e.g. in an
> iframe
> > or another tab), it can do so by sharing the URL; otherwise, it can
> withhold
> > the URL.
> >
> > When would the currently-proposed same-origin checks apply?  Would I be
> > right in thinking that they only apply to XMLHttpRequests from
> Javascript,
> > and don't apply if the URL is linked from an <img> element?
>
> URLs weren't always designed to be security sensitive. One common way
> they leak is through the "referer" (sic) header. So if the File whose
> .url you were loading was an HTML file, and you loaded it using an
> <iframe>, you could very easily leak the URL to untrusted parties.
>

That's true for "http:" URLs, but AFAIK it's not true for "https:" URLs.
The browser is not supposed to disclose HTTPS URLs via the Referer header,
and I know of at least one app (Tahoe-LAFS) that relies on that.  Since the
File API is creating the new "filedata:" URL scheme, it can specify that it
has the same property.


> At the very least the same-origin check applies such that if a
> cross-origin file uri is used on <img>, this would be considered a
> cross-origin load if that <img> was later pasted into a <canvas>.
> Similarly, if a cross-origin <video> is loaded, I think some events
> are with-held, though I'm less sure about that.
>
> However, in firefox we've taken a more strict approach. We disallow
> cross-origin <img> loads for filedata URIs. I.e. if site A receives a
> File with a url. Then even if site B manages to get hold of that url,
> it can't use <img> to load it.
>

This is adding a new mechanism, isn't it, since <img> was previously
considered to be normal linking and did not have a same-origin check.

What would happen if a page has an <a href="filedata:..."> link?

Regards,
Mark

Received on Monday, 14 June 2010 18:36:20 UTC