Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security model of message passing #814

Closed
nothingismagick opened this issue Jul 12, 2020 · 6 comments
Closed

Security model of message passing #814

nothingismagick opened this issue Jul 12, 2020 · 6 comments
Assignees
Labels
help wanted Help is requested to fix this issue type: bug

Comments

@nothingismagick
Copy link
Member

nothingismagick commented Jul 12, 2020

Is your feature request related to a problem? Please describe.
At this hackernews comment, a very good point was raised about the null origin.

Describe the solution you'd like
The OP wrote:

I recommend using pre-existing interfaces for launching apps like custom scheme URIs, or if really necessary writing individual handlers for the heavy lifting. I think the postMessage approach is great, too but it's vital that the caller origin is checked. The web app shouldn't need to run arbitrary commands on the computer.

Describe alternatives you've considered
Instead of allowing the webview to initiate an event, requiring the rust side to do so because we create a randomized handle for each event and can permit it to only be used once. In practice, today, we use the webview to create the event listener, however at build time we can anticipate exactly what listeners are needed - so at runtime we can prepare the proper handle

Additional context
http://archive.is/UXD8j

@nothingismagick nothingismagick self-assigned this Jul 12, 2020
@nothingismagick
Copy link
Member Author

nothingismagick commented Jul 12, 2020

I've been doing some research and had a conversation with Lucas. We think there might be some options for hardening the upstream headers with forMainFrameOnly, but ultimately we need to manufacture an attack repo to validate the current vulnerability and mitigations.

Note: we are still in alpha, which is why this discussion is happening in the open. In the future we hope to have your trust such that you will be able to responsibly disclose potential vulnerabilities through the normal channels instead of posting them on hackernews.

@nothingismagick
Copy link
Member Author

Also, there is a similarly themed discussion happening here: webview/webview#413

@nothingismagick
Copy link
Member Author

@wusyong
Copy link
Member

wusyong commented Jul 16, 2020

each event and can permit it to only be used once

This is definitely possible and idiomatic in Rust. There is a FnOnce trait to serve this need. In fact, we actually have to mem::forget it in webview_rust, or those callbacks will just be dropped. I think what I'm not sure is how to initiate the events in only rust.

@nothingismagick
Copy link
Member Author

This would mean we disable event listener registration from the webview side. It makes things a little more complex for the devs, but it will enhance the security a thousandfold.

@lucasfernog lucasfernog added question type: bug help wanted Help is requested to fix this issue labels Jul 18, 2020
@nothingismagick
Copy link
Member Author

This article goes into more details.
https://byte.how/posts/webview-androids-most-convenient-footgun/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Help is requested to fix this issue type: bug
Projects
None yet
Development

No branches or pull requests

3 participants