| blob | 199f65a24f230334257710b4d88968cea2dba94e |
2 <html>
3 <head>
7 </head>
8 <body>
17 </h1>
19 </h2>
20 This page describes an alternative mechanism which can be used to
21 protect all internal resources against requests from sandboxed
22 scripts. This should especially be implemented for SOAP calls
23 by untrusted scripts. When an attempt is made to access a
24 resource at a previously-unknown URI, the sandbox reads a file at that
25 domain with declarations to determine whether access is permitted to
28 </h2>
29 External untrusted scripts loaded behind a firewall are executed in a
30 sandbox. These scripts may legitimately require access to external
31 resources, but permitting them to access internal resources permits the
32 compromise of these resources that would normally not be available to
33 applications outside of the firewall. The sandbox must
34 distinguish and protect internal resources.<br>
36 Several client-controlled solutions have been designed to prevent
37 sandboxed applications loaded behind a firewall from compromising
38 other resources protected behind the firewall.
40 By restricting sandboxed scripts to access only resources in the domain
41 from which they were loaded, any script loaded from one domain into
42 another is prevented from accessing resources in the domain
43 into which it has been loaded. This policy has generally been
44 successful in sandboxing Javascript and Java applets across the web.<br>
45 <br>
46 If the sandbox is unable to distinguish the common URI substring of the
47 domain to be trusted from similar URIs of untrusted domains, then it
48 could allow a script loaded from an indistinguishable domain to
49 exploit firewall-protected resources.<br>
50 <br>
51 Also, this technique prevents the script from accessing many legitimate
52 external resources not provided in the same domain as the script.
53 This prevents a script from accessing web services and data
54 published from any domain besides its own.<br>
56 By creating a white list of trusted URIs from which scripts are trusted
57 to not compromise internal resources, it is possible to release domains
58 from the stricter same-source sandbox. A white list is a good tool
59 for including always-trusted domains, but on the web, it is often a
60 script from a relatively-untrusted domain that must be granted access
61 to other untrusted domains, without compromising internal domains.<br>
62 <br>
63 More-complex access lists could be created to try to establish, with
64 finer granularity, which domains are to be accessible or permitted
65 from which other domains, but this requires extensive management which
66 at best is quite error-prone for the end user and easily opens holes
67 in a firewall that do not directly hurt the user who reconfigured his
68 browser to try to access some external service but hurts the owners of
69 other services behind the firewall.<br>
71 A certain degree of additional trust may be lent to a script by having
72 the author digitally sign it. But signed scripts have not really
73 caught on as they require certificates do not change the basic
74 problem that some completely-unknown party has written a script that
75 might now have access to internal resources.<br>
77 Where the sandbox cannot otherwise determine whether the executing
78 script should be permitted access to the resource, a dialog box may
79 be raised to ask the user to grant special privileges. This is
80 currently permitted for locally-saved scripts and signed scripts.
81 This could be combined with the other options above such as
82 whitelisting, signed scripts, etc. But the big problem with this
83 is that the typical browser user really does not either understand or
84 pay the consequences if he inadvertently opens a hole in his company's
85 firewall. Quite complex settings may be required to permit the
86 user to allow access to desired external services without risking
87 other resources.<br>
89 Access by untrusted scripts really needs to be under the control of the
90 stake holder, which is the resource and server owner -- not the user --
91 to determine whether a resource should be insulated from web
92 applications loaded from outside of the firewall.<br>
94 SOAP messages have a distinct processing model allowing a header to be
95 added that the recipient is required to understand and accept, which
96 identifies the untrusted source of a script making a request.
97 SOAP services which have not been cleared for access by
98 untrusted scripts will reject the requests. This is offered in
99 the Mozilla implementation of SOAP today.<br>
100 <br>
101 Unfortunately, this does not prevent SOAP messages from being sent to
102 non-SOAP addresses, which is a big enough problem that the verification
103 cannot stand alone to guarantee that untrusted service requests are
104 always properly rejected by services that should be firewall-protected.<br>
105 <br>
106 It may also be inconvenient to modify a SOAP service to ignore the
107 specific verification header.<br>
109 </h3>
110 A more robust solution is to rely on getting a file named "<code>web-scripts-access.xml</code>"
111 in the root directory of the server that the sandboxed script requests
112 to communicate with. It should be fairly easy for most
113 providers of public resources to create.<br>
115 </h2>
116 The syntax of statements of the access file are as follows.
117 <pre><!ELEMENT webScriptAccess (delegate?|allow*)><br><!ELEMENT delegate EMPTY><br><!ELEMENT allow EMPTY><br><!ATTLIST allow type|from CDATA #IMPLIED>.<br></pre>
119 </h3>
120 The first element of the file should be the following:<br>
121 <code><br>
122 <wsa:webScriptAccess
125 If the <<code>delegate</code>/> element is present then "<code>web-scripts-access.xml</code>"
126 is required in the subdirectory for URIs which are in a subdirectory.
127 For example, if the script in question is "<code>http://www.example.com/foo/bar.xml</code>",
129 which contains the "<code>delegate</code>" keyword delegates to <code>http://www.example.com/foo/web-scripts-access.xml</code>.
130 If the URI is in a subdirectory, and the root directory's access
131 file delegated but no access file exists in the subdirectory, then no
132 access is granted. If the root's access file did not delegate,
133 then that access file also handles all resources in subdirectories.<br>
134 <br>
135 Any syntax error in the document will result in the rest of the file to
136 be ignored. Since the commands only allow access, the order of
137 processing the "<code>allow</code>" commands that were successfully
138 parsed is never significant.<br>
140 To permit scripts to access the resources of this server, use the
141 following command:<br>
142 <br>
145 <br>
146 The type of request, if specified, will be checked against the type of
150 any requested type of access to resources.<br>
151 <br>
152 The principle URI of the script will be checked for the specified URI
156 <br>
157 For example:<br>
158 <code><br>
160 <br>
161 This command allows SOAP requests with verification headers from
162 scripts loaded from the domain www.mozilla.org.<br>
163 <br>
165 <br>
166 </code> This command allows SOAP requests with verification headers from
167 scripts loaded from the domain with host name containing mozilla.org.
168 That is, http://www.mozilla.org/, http://lxr.mozilla.org,
169 http://komodo.mozilla.org, etc. will be granted access.<br>
172 This interface provides a way to check whether the running script has
173 access to the server that the script wishes to communicate.<br>
176 <ul>
178 <ul>
181 load, etc. )</li>
183 </ul>
185 <ul>
188 </li>
189 </ul>
190 </ul>
191 <ul>
192 <ul>
193 </ul>
194 </ul>
197 nsIWebScriptsAccessService)<br>
198 </span>Maintains access information, for servers, in an
199 access-info-cache ( hashtable ). If an entry was not found in the cache
200 creates one by loading the declaration file ( web-scripts-access.xml )
201 and extracting information from it ( declaration file ); requested <span
204 type and prefix in order to determine access. An entry is created if
205 and only if the declaration file is considered valid ( validation based
206 on the syntax described above ); an invalid document will result in
207 access denial. Denies script access in the event of an
208 xml-wellformedness error, or validation error, or if the declaration
209 file does not grant access. Reports errors ( validation,
210 wellformedness, file not found, etc. ) to the console via
211 nsIConsoleService.<br>
212 <br>
213 Note: Script access is checked via declaration file only if the script
216 </span>
217 <ul>
218 </ul>
221 The proposed declaration file places the server operator, not the
222 client in control of access to his server by untrusted scripts.
223 The access hole is no bigger than the service in question.
224 The access is disabled by default, and there is nothing the
225 user needs to do to open access, and nothing that can go wrong to
226 make a hole in his firewall. It seems fairly easy to drop an
227 access file into the root directory of the web server to allow access.<br>
229 Independent owners of subdirectories cannot grant web script access to
230 these subdirectories without getting the owner of the root directory to
231 post a delegating access file. Normally a server will be either
232 inside or outside of a firewall, so this is not a problem. Where
233 a server spans multiple owners, the alternative would be to scan all
234 directories in the path looking for a web scripts access file, which
235 seems undesirable. On the other hand, perhaps it is not so bad,
236 since it permits independent management in domains where the top level
237 owner may not care about providing access to web services.<br>
239 As this new model is applied to SOAP, and potentially document.load or
240 xml-request, it may be desirable to eliminate the same source security
241 bypass, because it is not clear that this is always secure.
244 Please send me some feedback on this proposal.<br>
245 </body>
246 </html>