[whatwg] Security restriction allows content thievery
Ian Hickson
ian at hixie.ch
Thu Sep 6 11:22:42 PDT 2012
On Mon, 16 Jul 2012, Robert Eisele wrote:
>
> Browsers are very restrictive when one tries to access the contents of
> different domains (including the scheme), embedded via framesets. This
> is normally a good practice, but I'd suggest to weaken this restriction
> for the data: URI schema.
It already is. The origin of documents and images using data: URLs is
essentially the origin of wherever you found the URL.
> I'm currently building an analysis system like Google Analytics, which
> gets embedded into a website via a small JavaScript snippet. When I
> analyzed the data, I came across a very interesting trick because I got
> a lot of requests (with the data from location.href) where the entire
> website was embedded into a data:text/html URI - except that all ads of
> the page were replaced. Fortunately, my tracking code has been left
> without modifications.
Weird.
> But the scary thing is that this way you can monetize foreign content by
> simply embedding it somewhere you can direct traffic to. That's pretty
> clever, because the original site owner doesn't notice this abuse due to
> the fact that top.location.href isn't readable. Or even worse, he would
> never notice it at all when he doesn't sniff the URI with JavaScript,
> because image files would have no referrer.
>
> My final approach to convict the abuser is based on the fact, that the
> JavaScript was dynamically loaded from my server and that I can write to
> location.href. So I added this piece of code:
>
> if (top.location.protocol === 'data:') {
> top.location.href = 'http://example.com/trap/';
> }
>
> But even then the referrer will not be passed to the server. So my
> proposal is that the data URI schema gets an exception on this security
> behavior.
I don't understand. What referrer are you trying to set? To what?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list