Re: [whatwg] Security restriction allows content thievery from Ian Hickson on 2012-09-06 (public-whatwg-archive@w3.org from September 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 6 Sep 2012 18:22:42 +0000 (UTC)
To: whatwg@whatwg.org
Message-ID: <Pine.LNX.4.64.1209061818570.30734@ps20323.dreamhostps.com>

On Mon, 16 Jul 2012, Robert Eisele wrote:
>
> Browsers are very restrictive when one tries to access the contents of 
> different domains (including the scheme), embedded via framesets. This 
> is normally a good practice, but I'd suggest to weaken this restriction 
> for the data: URI schema.

It already is. The origin of documents and images using data: URLs is 
essentially the origin of wherever you found the URL.


> I'm currently building an analysis system like Google Analytics, which 
> gets embedded into a website via a small JavaScript snippet. When I 
> analyzed the data, I came across a very interesting trick because I got 
> a lot of requests (with the data from location.href) where the entire 
> website was embedded into a data:text/html URI - except that all ads of 
> the page were replaced. Fortunately, my tracking code has been left 
> without modifications.

Weird.


> But the scary thing is that this way you can monetize foreign content by 
> simply embedding it somewhere you can direct traffic to. That's pretty 
> clever, because the original site owner doesn't notice this abuse due to 
> the fact that top.location.href isn't readable. Or even worse, he would 
> never notice it at all when he doesn't sniff the URI with JavaScript, 
> because image files would have no referrer.
> 
> My final approach to convict the abuser is based on the fact, that the 
> JavaScript was dynamically loaded from my server and that I can write to 
> location.href. So I added this piece of code:
> 
> if (top.location.protocol === 'data:') {
>     top.location.href = 'http://example.com/trap/';
> }
> 
> But even then the referrer will not be passed to the server. So my 
> proposal is that the data URI schema gets an exception on this security 
> behavior.

I don't understand. What referrer are you trying to set? To what?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 6 September 2012 18:23:09 UTC