[Webkit-unassigned] [Bug 205717] New: User Script Sandboxing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 3 05:17:18 PST 2020


            Bug ID: 205717
           Summary: User Script Sandboxing
           Product: WebKit
           Version: Safari 13
          Hardware: iPhone / iPad
                OS: iOS 13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: krzysztof.modras at gmail.com

Interaction with web content in WKWebView is done with help of so called User Scripts. The provided messaging pipe is inherently insecure as website script can send messages that native handler cannot distinguish from messages being send by the User Script. Common way to deal with this problem is injection of secret value that only user script can have access to. Example from Firefox for iOS: https://github.com/mozilla-mobile/firefox-ios/blob/88b719404591c322c16e03990bb351a1b77b1a59/Client/Frontend/Browser/UserScriptManager.swift#L33

The fact that Users Scripts are injected in the JavaScript context of a website make them an easy target for exploitation. Websites can try to:
* trigger app features (in unintended by developers way)
* abuse app bugs

As some iOS browsers implement password managers with help of User Script, the risk factor is very high.

In WebExtension ecosystem, communication with Website content and "native" code is done with with help of so called Content Scripts https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#Accessing_page_script_objects_from_content_scripts which in contrast to User Scripts are evaluated in a Sandboxed JavaScript context that share a reference to website window object.
In WebExtension, functions used to communicate with the native code are present only in this Sandboxed environment, so website cannot send any messages.

Such environment makes developing user scripts much safer, so WebKit should consider implementing a proper User Script Sandboxing.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200103/eab20fa6/attachment.htm>

More information about the webkit-unassigned mailing list