Cookie Security of Pops Up Window - how to deal with it?

[realfun]

I have been to some css/html/js discussing board which provide a text
box to enter the html and a "Run it!" button to run the html in new
pops up window.

I want to make one also, which is easy in jQuery:

function try_show_result() {
var code = $("#try-input").val();
if (code !== "") {
var newwin = window.open('','','');
newwin.opener = null;
newwin.document.write(code);
newwin.document.close();
}
}
But then I found a security problem: the pops up window has all the
abilities of running an arbitrary javascript. So that when another
authenticated user runs a given piece of code on the page, then it
could stealing cookies or access some url that is only for the
specified user only through ajax posts, or XSS/CSRF attack.

Is there an easy way to avoid this?

I added newwin.document.cookie="" before open the window, but no luck.

 

[realfun]

It is already possible to execute any arbitrary javascript by entering a
javascript pseudo-protocol URL into the address/location bar (or
executing a bookmarklet). This includes the ability to add SCRIPT
elements to the DOM and so import any external script of any size (so
the URL/bookmarklet size limits are non-constraining).  (Even if you
attempt to hide the address/location bar the user can either block that
ability or can get it back, for example in IE Ctrl-N will often be
enough for the task).

If your security hangs on the inability of the user to execute arbitrary
scripts in their browser while viewing your web pages/applications then
you have already lost.


What does that mean? Who is this "another authenticated user" and where
is he?


From who? The cookies that can be accessed from the browser are the
cookies that have been sent to the browser, so in some sense they
already belong to that user.


Which specified user? The one who owns the cookies (which presumably are
session tracking cookies used to identify the user as "authenticated")?



It is difficult not to think that if you need to ask this question then
maybe you are not yet ready to be involved in any designing where
security is a consideration.

Richard.

Thanks for your help.

Let me give an example:

there is an forum on which user can post with code block for html/css/
js, the code block will be displayed in a textarea, on bottom of the
textarea, there will be a button to click then open *new page* with
the source code in given code block(using method I posted above). This
is common for web-dev forums.

1. UserA posted a piece code block which contains a piece of js code
to send document.cookie to his website
2. UserB seen this code, and click run, then UserB's cookie will be
send to UserA's website, so stealing happens

So my question is: is it possible to sandbox the new opened page to
avoid this kind of security issue?

Regards,
Zhongfang

 

[Richard Cornford]

Let me give an example:

there is an forum on which user can post with code block
for html/css/js, the code block will be displayed in a textarea,
on bottom of the textarea, there will be a button to click then
open *new page* with the source code in given code block(using
method I posted above). This is common for web-dev forums.

1. UserA posted a piece code block which contains a piece of
js code to send document.cookie to his website
2. UserB seen this code, and click run, then UserB's cookie
will be send to UserA's website, so stealing happens

So this is the (authenticated) session cookie and so long as it has
not expired having the cookie gives (or may give) UserA the
opportunity to access UserB's personal information (account details,
etc) on the forum site.

In general web application/site design one thing you never want to
allow is for a UserA to enter anything that a UserB will later execute
as script while viewing the site/application. It is a basic security
thing.

So my question is: is it possible to sandbox the new opened
page to avoid this kind of security issue?

You will have to move the code that creates that page that shows up in
the pop-up from client-side to server-side, but if the pop-up window
did not share the same domain as the page that opened it then the
opening page's session cookies would be unavailable to scripts on the
opened page, and scripted interactions between the two would be
prevented. That should render the opening of the pop-up no more
dangerous than opening any other arbitrary web site on the internet.

Richard.