From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: ** X-Spam-Status: No, score=2.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FROM,HDRS_MISSP autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 28748 invoked from network); 21 Mar 2021 21:34:52 -0000 Received: from hurricane.the-brannons.com (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 21 Mar 2021 21:34:52 -0000 Received: from localhost.localdomain (localhost [127.0.0.1]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTP id 367268c8 for ; Sun, 21 Mar 2021 14:34:47 -0700 (PDT) Received: from resqmta-ch2-02v.sys.comcast.net (resqmta-ch2-02v.sys.comcast.net [2001:558:fe21:29:69:252:207:34]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id 1936f863 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Sun, 21 Mar 2021 14:34:24 -0700 (PDT) Received: from resomta-ch2-09v.sys.comcast.net ([69.252.207.105]) by resqmta-ch2-02v.sys.comcast.net with ESMTP id O5aGl3KdzGhhbO5iIlX4Ew; Sun, 21 Mar 2021 21:34:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1616362462; bh=G2lIZyRBlDFZ7ieA5qAxeqi/v336xu9durUTB+66YWk=; h=Received:Received:To:From:Reply-to:Subject:Date:Message-ID: Mime-Version:Content-Type; b=xLZ+1TfQnCLpeR4Mqq0Uf/wRSH9En72+WtcZiXDKUQF9vMGM8PbXUiExxi8pfaryI qbz7N7GVe61brNAAI8mToF70505Du0QhM0LzEC/tEQxE2MMLGO55lqEMbC3kEJZoLV a44Uo5ExzXrclSeiizHGcQoOs8LL5kg7Y8vsVNntjcTdSa8eM/ayuRLsPW15p7PseP tKzCZieap+PcJYkWjrfoZrjbHwir6NAkK3nHUVvyra2QZhiRE6QWVAPQRkbDXeosFo /8BrVOL+GPaNfWn5tREYKcs2NykrzBgSr6F9pyKKC325Kxg0XP/KtySgcFjKo+nHIK Sa1KIB+bYKu+A== Received: from unknown ([IPv6:2601:408:c300:a3d0::8f8f]) by resomta-ch2-09v.sys.comcast.net with ESMTPSA id O5iHlP5ctYhTvO5iHlFGA1; Sun, 21 Mar 2021 21:34:22 +0000 X-Xfinity-VMeta: sc=0.00;st=legit To:edbrowse-dev@edbrowse.org From: Karl Dahlke Reply-to: Karl Dahlke User-Agent: edbrowse/3.8.0 Subject: [edbrowse-dev] sharing and security Date: Sun, 21 Mar 2021 17:34:21 -0400 Message-ID: <20210221173421.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=nextpart-eb-305782 Content-Transfer-Encoding: 7bit This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --nextpart-eb-305782 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This is just me thinking out loud. Let's say we share the Table class in the master window mw$. I don't have to replicate it and its methods for every web page. Saves time and memory etc. All good. There's an addRow method, which of course, adds a row to the table. I wrote it, and web pages can use it. Let's say your bank uses it to dynamically add a row to a table. An evil web developer can write a phishing page that looks harmless, = maybe just information about kangaroos. It replaces my addRow with its own addRow function. mw$.Table.prototype.addRow =3D evil_addRow(); It starts with this(object) and works up through parentNode until it = gets to document. Then it looks at document.location to see if it is juicy. Maybe a banking site. It traverses the tree looking for a login form. If it's really lucky, and it can try this again and again without you = knowing it, it might find the login form. Using xhr, it sends login and password back to a server in China = somewhere. Even more valuable is your routing and account numbers, which are = probably somewhere on the page. Whence the dude in China can withdraw money from your account by ACH. After all that snooping, it calls the original addRow, my addRow, so it = does what it did before and doesn't look any different. You don't notice a thing. Ok, I defend against that by making the addRow method not writable, not = deletable. Remember the second part cause they could remove mine and then replace = it with theirs. I can do that in javascript and it's not reversible. All good. But, addRow lives in the Table.prototype object. What if they remove the entire prototype object and replace it with = theirs, with all the methods I use to have, some of theirs boobytrapped. So I make prototype not writable and not deletable. The original class Table has to be not writable and not deletable, or = they could replace the entire Table class in mw$ with their own. Let's say I've done all that. If I make one mistake of omission, if I forget one method in the DOM, let's say I forgot deleteRow. evil.com notices that I forgot that. They install their own deleteRow in mw$.Table.prototype. This method does all the hijacking, then deletes the row consistent = with my framework. It does what I should have done. Remember they can read my open source and know exactly how all this = works. Well I can't guard against that. In every operating system you can make a directory readonly, but = nothing like that in javascript. If the prototype object exists, and you can see it, you can add = something to it. Maybe you can't change what's there, but you can add to it. So we would have to be 100% perfect, with a function or at least a stub = for every method that exists, and we would have to stay current with this as the DOM evolves, cause if we don't, a shared class opens up a security risk. That's how it looks to me anyways. Do you follow what I'm saying? No wonder every browser writes all its classes in C, thus shared at a = level that can't be hijacked; but of course we don't have the manpower to do that. And if we did, we are, at that point, heavily invested in an engine; I couldn't just switch engines in a couple weeks as I just did with = quick. That's my discouraging thought for the day. Karl Dahlke --nextpart-eb-305782--