New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What about Same-Origin Resource Sharing? #546
Comments
In what scenario would the content be allowed to load at all? If you allow it to load in a top-level window, the same-origin attacker can still walk the DOM of that window. One could imagine that this header implicitly disavows the opener, I guess. But stepping back a bit-- Access-Control-Allow-Origin is about controlling access to the response. In the case you've described, you're trying to block the request to |
Content should only be loaded on a simple http request. For example I am not expecting any XHR request on
In this case, I am trying to block the accessibility of the response, not the request. My previous solution was to initiate new header on the request and then block it at the server side but it wasn't feasible. |
Ah, is the theory here that |
Exactly
If you see the XSS payload in 1st post, its sending 1st request to steal
CSRF token then in 2nd request, its using that token to submit form i.e.
inject a new administrator user.
…On Tue, Feb 12, 2019 at 12:07 AM Eric Lawrence ***@***.***> wrote:
In this case, I am trying to block the accessibility of the response, not
the request
Ah, is the theory here that user-new.php is the page that contains some
anti-CSRF token that you're trying to hide?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#546 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AhYShEdYw0O9nSEDhFr8iV3MExOO5Ilgks5vMc1jgaJpZM4ayAEQ>
.
|
I can see some value about what you're trying to achieve, but I can't find a way around the Same-Origin Policy biting you along the way. If you block XHR/fetch, you also need to block navigation ( |
Yeah window.open() and iframe were the worst case scenarios. So the potential solution is to restrict them from getting loaded if header |
What you're proposing sounds similar in spirit to Suborigins: https://w3c.github.io/webappsec-suborigins/ (with some context in this doc) -- the idea is to allow parts of your application to isolate themselves from the rest of the origin. Sadly, this proposal is not actively pursued at the moment. As @mozfreddyb says, there is likely no tractable way to make this happen without extending the same-origin policy to separate documents that are currently considered-same origin -- there are simply too many interactions allowed under the SOP to provide meaningful guarantees otherwise. |
The idea is about to prevent XSS to RCE scenarios because its successful mostly because of SOP. For example if there is a XSS in Wordpress theme, it can be easily converted into RCE using following Javascript code.
The 1st XHR request fetches the CSRF token and then 2nd sends CSRF request to add admin user. Though I already shared this idea on whatwg but the solution wasn't feasible since its implementation could have been very complex. So I came around another solution like what if the server initiates this already existing heaeder
Access-Control-Allow-Origin: none
and the user-agent restricts the response to be fetched by Javascript. Thenone
will dictate browser to not share content even with Same-Origin.On the legit XHR/Ajax calls i.e.
wp-admin/admin-ajax.php
, this header shouldn't be initiated by server. The server wasn't expecting any XHR request onwp-admin/user-new.php
whatsoever.One of the use cases is that an attacker can open an iframe or a child window and walk through its DOM. The potential solution for this is, user-agent should not load iframe or child window if this header exists. In case of iframe, this header will work similar to
X-Frame-Options: deny
This technique may limit the impact of XSS on the vulnerable URL only and restrict attacker from abusing SOP. What do you guys think about this or if there is any other use case?
The text was updated successfully, but these errors were encountered: