MozillaZine

Security Related Feature Request

Discuss building things with or for the Mozilla Platform.
martin_vahi
 
Posts: 2
Joined: March 2nd, 2014, 2:08 am

Post Posted March 2nd, 2014, 3:13 am

Motivation

3. party software, including JavaScript software, can "phone home" (passwords, private data, etc.). Given the cost of software development, it is practically impossible to avoid using 3. party JavaScript libraries. An example of a JavaScript based, NSA related, security breach has been described at

http://www.democracynow.org/2014/2/28/peeping_webcam_with_nsa_help_british

JavaScript formal verification tools do not yet exist and even, if they did, it would probably be unaffordably laborious to write/review the set of requirements of all of the 3. party libraries and their dependencies.


API Proposal

One possible solution is to place JavaScript software to a semi-jail that has AJAX and other forms of IP-layer access only to a specified set of URL's. If web browsers supported the following function:

Code: Select all
webbrowserspecific_api.v_niceversion.blow_all_bridges_except(array_of_allowed_URL_prefixes);


then the only way for the malicious software to "phone home" is by having the server side to redirect the call to "home".

Most of the communication of the 3. party libraries can be jailed, handled, by using the following architecture:

X) The whole application, from log-in to log-out, runs at a single "html-page" that
is served by the index.php.

X) After the index.php has served the initial HTML and JavaScript, the
window.onload() executes the blow_all_bridges_except(...) and all of the
communication between the web browser and the server can only take place
either by using

XX) demultiplexer_as_a_single_entry_for_all_application_specific_AJAX_requests.php

XX) a folder, JS_and_CSS_folder, that contains all of the JavaScript and CSS files
that this web application uses, including all 3. party JavaScript and CSS libraries.


To make sure that the "call to home" can only take place through the

demultiplexer....php

the JS_and_CSS_folder contains .htaccess file that tells the web server to make sure that no files in the JS_and_CSS folder (read: server-side files of the 3. party libraries) is executed at the server side. To make this work, the web application specific demultiplexer....php has all of the web application specific PHP file loading commands and function calls hard coded in itself, e.g. 3. party JavaScript can not use the demultiplexer....php as an "eval" function that loads a file from the JS_and_CSS_folder and executes it.

It's also important that the server side versions of the 3. party libraries can neither modify each other, nor modify the web application specific code, including the demultiplexer....php. The aforementioned measures impose the desired limit.

This feature request has emerged from a discussion that I initiated at the Yahoo YUI forum,

https://groups.google.com/forum/#!category-topic/yui-support/everything-else/kZZA6lDaODw

Thank You for reading this comment.

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted March 2nd, 2014, 5:21 pm

MozillaZine is not formally associated with Mozilla and developers rarely come here:
http://www.mozillazine.org/about/

The NoScript extension I think can do what you want by blocking all cross-site scripting. Likewise, AdBlock Plus can be setup to block cross-site scripting. Unfortunately, it became popular a few years ago for some of the big websites to start storing much of their important bits in content delivery networks with a different domain than their primary domain so that blocking cross-site scripting will cause Facebook and various Google services to basically completely fail.

In the case of the Webcam snooping, this was I think an exploit that directly attacked the Yahoo Messenger software, or perhaps their servers, not a JS hack in a web browser.

Also, what you are requesting sounds like something that would have to go through a standards body like the W3C, and is definitely not something that could be implemented in just one browser or even in a remotely timely fashion considering it would require compliance across every browser.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

martin_vahi
 
Posts: 2
Joined: March 2nd, 2014, 2:08 am

Post Posted March 2nd, 2014, 8:06 pm

Thank You for Your kind answer.

I reposted my proposal to

https://groups.google.com/forum/#!topic/mozilla.dev.security/ujDUw-32wH8

Return to Mozilla Development


Who is online

Users browsing this forum: No registered users and 2 guests