simonw 4 days ago

I was curious as to the security context this runs in:

    curl -i 'https://porcini.us-east.host.bsky.network/xrpc/com.atproto.sync.getBlob?did=did:plc:j22nebhg6aek3kt2mex5ng7e&cid=bafkreic5fmelmhqoqxfjz2siw5ey43ixwlzg5gvv2pkkz7o25ikepv4zeq'
Here are the headers I got back:

    x-powered-by: Express
    access-control-allow-origin: *
    cache-control: private
    vary: Authorization, Accept-Encoding
    ratelimit-limit: 3000
    ratelimit-remaining: 2998
    ratelimit-reset: 1732482126
    ratelimit-policy: 3000;w=300
    content-length: 268
    x-content-type-options: nosniff
    content-security-policy: default-src 'none'; sandbox
    content-type: text/html; charset=utf-8
    date: Sun, 24 Nov 2024 20:57:24 GMT
    strict-transport-security: max-age=63072000
Presumably that ratelimit is against your IP?

"access-control-allow-origin: *" is interesting - it means you can access content hosted in this way using fetch() from JavaScript on any web page on any other domain.

"content-security-policy: default-src 'none'; sandbox" is very restrictive (which is good) - content hosted here won't be able to load additional scripts or images, and the sandbox tag means it can't run JavaScript either: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

2
benatkin 4 days ago

Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe)

1: https://github.com/w3c/webappsec/issues/656#issuecomment-246...

2: https://www.w3.org/TR/CSP3/#exfiltration

2 replies
EE84M3i 3 days ago

I didn't realize you could use CSP for preventing exhilaration now! How did they close the WebRTC loopholes?

1 reply
benatkin 3 days ago

They haven't. That in the spec stops short of actually saying that it will stop all exfiltration. What it will do is make it harder because you'd have to put the data in a subdomain or in a username/password. It also could make it hard to deny that an attempt to exfiltrate was deliberate.

kmeisthax 4 days ago

Why would WebAssembly provide more protection against exfiltration than JavaScript in this case?

1 reply
benatkin 4 days ago

By default WebAssembly doesn't have access to the DOM or JavaScript globals. You have full control of how it can access these things.

nightpool 4 days ago

is the default-src necessary if you're using sandbox or is it redundant?

1 reply
johncolanduoni 4 days ago

`sandbox` doesn’t affect making requests via HTML (images, stylesheets, etc.).

1 reply
nightpool 3 days ago

Right, but what would be the security impact of that compared to just plain HTML? I guess it allows for some form of view counting or IP exfiltration, but other than that anything you can do with an external request you could do with an embedded data URI.

1 reply
brewmarche 3 days ago

As far as I understand CSP, since it’s set to `none`, no URIs are allowed, not even `data`. Inline scripts and stylesheets are not allowed either, since `unsafe-inline` (or nonces/hashes) is missing.