All apps have the same origin (file), so are not sandboxed from each other (Bug #1181)


Added by Doug Reeder 11 months ago. Updated 11 months ago.


Status:New Start date:10/02/2016
Priority:Normal Due date:
Assignee:Christophe Chapuis % Done:

0%

Category:-
Target version:Later

Description

To demonstrate, for the Chrome sandbox file APIs:
1) Install Serene Notes, from the Hominid Software feed
2) Add one or more notes
3) From the hamburger menu, select "Preferences & Help"
4) Enable "Backup Nightly". One backup will be made, then Backup Nightly will be disabled, as it can't be scheduled.
5) Use the Back gesture to return to the list pane.
6) From the hamburger menu, select "Restore from backup file". Observe that a backup file exists.
7) Launch Testr
8) In the File APIs tab, select "Chrome sandbox - write file"
9) Select "Chrome sandbox - delete all".
Expected behavior: one entry is removed, "/Testr"
Actual behavior: two entries are removed, "/Testr" and "/backups" (the directory used by Serene Notes)
10) Switch back to Serene Notes
11) From the hamburger menu, select "Restore from backup file"
Expected behavior: backup file is listed
Actual behavior: "No backups..." message is displayed.

Apparently, all apps have the same web platform origin (navigator.origin): protocol=file, host="", port=0 (See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
Presumably, other local storage features suffer the same security problem. Among other things, this means that a file randomly downloaded, when executed, has similar access to apps specifically installed by the user.

webOS set origin to undefined, which is not compatible with the web security model, and required workarounds in system code and app code.

Firefox OS used a special origin for packaged apps (https://developer.mozilla.org/en-US/Apps/Publishing/Packaged_Apps#Differences_from_hosted_apps).

Probably, what we need is a custom protocol, probably called "app", with a "host" value equal to the appId. This would be a non-trivial amount of work, but then many things would fall into place: local storage, JavaScript files, resources, such as CSS and images, Content Security Policy, sensitive APIs, etc.


History

Updated by Herman van Hazendonk 11 months ago

  • Target version set to Later
  • Assignee set to Christophe Chapuis

Updated by Christophe Chapuis 11 months ago

Sandboxing has been activated in QtWebEngine in Qt 5.7, but isn't present yet for Linux on 5.6.

See https://bugreports.qt.io/browse/QTBUG-50708 and https://github.com/qt/qtwebengine/commit/7a49313c84ccd4779e396b7bc8341a331d90f96f

A naïve attempt to simply backport this commit proved to be unsuccessful, maybe because the Chromium version was too old.

Also available in: Atom PDF