From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 11328 invoked from network); 9 Nov 2020 23:11:21 -0000 Received: from hurricane.the-brannons.com (71.19.155.94) by inbox.vuxu.org with ESMTPUTF8; 9 Nov 2020 23:11:21 -0000 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by hurricane.the-brannons.com (Postfix) with ESMTP id 340D321DE05 for ; Mon, 9 Nov 2020 15:11:20 -0800 (PST) Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 0F71C21DE03 for ; Mon, 9 Nov 2020 15:11:20 -0800 (PST) Received: by mail-wr1-x42b.google.com with SMTP id w1so10655112wrm.4 for ; Mon, 09 Nov 2020 15:11:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=PRHr/5jL2uCqykWtOy/895bA/+UMMx2mu+uglT61Fdc=; b=o+rgC4KP8x9hVremQkyJvslGYwwhKWgSAA1bFue1Zyuhh9Bpgx+Ib1OdJVtt5eg7aR gUxDJChWlmscYn31gQ7GR2Cfltm/LnBl8JQgRG4p8jliFbFjkpn9ygiOBZbTDJKXHPLt Q6ZBLwDlmuFpAaKw2c9gLUceBdkWD+OJMxNyoDSLCX3jutubIKVSdoQV+hnQ1C8VbAjj ZMqV1IJTXP3MCXMYOpYqn+aEjEO/iDsb4Sg8/N/TCW4oZF46iX5cv9zEG+vKJGtJLg76 yv5y2UoDqX30CWhZ1AB3Xw+/w3BmQHvYeOwz7o2X+lHxobCXhIdYlt5LHz/oMoRicwR7 S5xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=PRHr/5jL2uCqykWtOy/895bA/+UMMx2mu+uglT61Fdc=; b=M3H04gNyqSOGaZmMuqdY09VlrEetCZxzW3XPVBCgs7L1YjEF/rHPBTHI88ABuOtND1 iO4pCGLJUgSnRX2BlpM9F5M1RFGqDNxiEcPYDBPAQWTN/q6AVejAR19dqGFzGLZ3TIkt pkIdiPka7JfSA5XD/AJOXmzAIiaxcM6+XowTsBpuwf8xL9LoIxaGDTP2UCoRfqqLgnNS 9ooAPy/hbjk1ppmGohhvsDmbyXIzV3sD+O9ddX6XXLkmdTJFgtDAmza9V9bSzby44xOM YsKX6xb1+HpUdztxlv83MxL1oMlcBVoULndoMM8nE8jMMo7dE1aeIkcrQVfgfa5wsTig 0vFA== X-Gm-Message-State: AOAM532/GXv1E3a0A0wUgmA/0yHTt5MPmRb5sWL3QOAgLe3RjJjp+7OL 84OkOlNnNXGpsMDnO87eOZo= X-Google-Smtp-Source: ABdhPJyylmEu/9ZAO9QhPjzbs9ipn0nCWB7mbkCc7pD5kRo5P4l8uthcRGW6WKSihXpL1uxQLKjMdA== X-Received: by 2002:adf:e446:: with SMTP id t6mr19549360wrm.46.1604963478503; Mon, 09 Nov 2020 15:11:18 -0800 (PST) Received: from toaster (b.5.b.9.4.f.e.f.f.f.c.f.1.b.a.e.1.4.0.9.2.4.1.1.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:1142:9041:eab1:fcff:fef4:9b5b]) by smtp.gmail.com with ESMTPSA id f8sm14664432wrt.88.2020.11.09.15.11.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Nov 2020 15:11:17 -0800 (PST) Date: Mon, 9 Nov 2020 23:11:16 +0000 From: Adam Thompson To: Karl Dahlke Cc: edbrowse-dev@edbrowse.org Subject: Re: [edbrowse-dev] interwindow bleed Message-ID: <20201109231116.GB4369@toaster> References: <20201005232257.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201005232257.eklhad@comcast.net> On Thu, Nov 05, 2020 at 11:22:57PM -0500, Karl Dahlke wrote: > Guys - really? > We've had this architecture for over 2 years and none of you called me on it? > None of you said, > > "Ok Karl, it's more efficient, but there's a security hole big enough to drive a truck through!" > > We compile our dom in the master window, mw0, just once, not every window every time, saves time, saves memory, saves resources, ok fine, but, > then stop for 5 minutes and think what someone can do. > Write your own appendChild function that calls mine, by making a copy of mw0.appendChild, then put yours in its place. > Since yours does what mine does, no one will ever know. > But you intercept and you have access to "this". > Climb up to document, then spider and read the entire web page. > document.location gives the url he is looking at. > If it's juicy, gather up information and submit it by form.submit or xhr or whatever. > > Dude - seriously. > Any sort of interwindow bleed is a security hole. Yeah... surprised (and annoyed with my self) that I didn't think about this... I guess I just watched the commits land in the repo and didn't look at the architecture they were creating... sorry about that. > It came to mind because sm doesn't share pages as easily as duktape. > I think I figured out how to do it, how to share the master window among all other windows, > but then I thought: I shouldn't be doing that anyways. > > Ok so building everything in each window is a waste. > Adam said 8 years ago to write it all in C, and he's sort of right for this reason, > but rewriting js in c multiplies the code by about 10, no kidding, > 4500 lines of js becomes 45,000 lines of c, > all of edbrowse so far after 20 years is about 45,000 lines, > so we clearly don't have the time or resources for that. > So we have to settle for where it is. > But in the grand scheme it's not so bad. > Web pages pull in jquery, which is ten times as big as my startwindow.js, after minimization, maybe 30 times before, > and that gets sucked in and processed on every page of the website, and if we're going to handle that, > then I guess we can build my dom each time too. Agreed. Honestly, performance's probably the least of our problems right now. > So speak now or forever, but I'm going to restructure it so it builds insitu each time, > (I like that word, insitu), > and then the master window, which I'll keep, is only for our third party deminimization software. > That doesn't even ship with production anyways. Does that mean it won't be a "master window" without that built? Or are you going to still have it but ensure isolation in some other way? Or, if present, will it merely be to hold the extra debugging functions etc? > So that will keep me up tonight. I hope it wasn't that bad. Cheers, Adam.