[Webkit-unassigned] [Bug 205717] User Script Sandboxing
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 4 16:10:38 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=205717
Garvan Keeley <garvankeeley at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |garvankeeley at gmail.com
--- Comment #2 from Garvan Keeley <garvankeeley at gmail.com> ---
To be clear the example from Firefox iOS is useful only for native-to-JS https://github.com/mozilla-mobile/firefox-ios/blob/88b719404591c322c16e03990bb351a1b77b1a59/Client/Frontend/Browser/UserScriptManager.swift#L33.
JS-to-native security is poor because webkit.messageHandler is trivially overridable by non-app JS in a webpage:
webkit = {};
webkit.messageHandlers = {};
webkit.messageHandlers.hackedHandler = {};
This is a major security flaw.
Brave iOS uses a UUID-namespaced JS object for their WKUserScript injected JS, putting all injected JS in a runtime generated non-introspectable parent object. This seems secure for native-to-JS, I haven't investigated if this is hackable for JS-to-native.
There is no method to prevent overrides of native calls in the JS context (WKUserScript and the webpage share the same JS context), any call to native JS methods that is overridable can be used to hack WKUserSCripts. This means there is a nearly unlimited surface area for attack.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200604/01212a2c/attachment.htm>
More information about the webkit-unassigned
mailing list