|
@@ -1,35 +0,0 @@
|
|
-# Blob security
|
|
|
|
-
|
|
|
|
-**This is how we secure blob pages from interacting with Oasis. If you notice
|
|
|
|
-any errors or omissions, please follow the steps in the security policy.**
|
|
|
|
-
|
|
|
|
-One of the problems we have when hosting content from other people in a P2P
|
|
|
|
-network is avoiding
|
|
|
|
-[arbitrary code execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution).
|
|
|
|
-In the context of Oasis, we need to be very sure that we aren't letting any code
|
|
|
|
-other than Oasis run in the browser. Markdown is a security concern, but it's
|
|
|
|
-got lots of eyeballs on the problem, whereas blob security is a security
|
|
|
|
-concern without any common best practices. The problem we need to solve isn't
|
|
|
|
-super common: hosting arbitrary data, especially HTML, in a safe way that doesn't
|
|
|
|
-open security vulnerabilities.
|
|
|
|
-
|
|
|
|
-The way we currently deal with this is a [content security policy (CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP),
|
|
|
|
-which gives Oasis a way to tell the web browser which features can be safely
|
|
|
|
-disabled. Since Oasis doesn't use any front-end JavaScript, we can disable all
|
|
|
|
-JavaScript being run by the web browser. This is _huge_ and massively reduces
|
|
|
|
-the surface area that might be vulnerable to attack. You can find all of the
|
|
|
|
-CSP code in [`http.js`].
|
|
|
|
-
|
|
|
|
-With JavaScript out of the way, the only attack vector that we should worry
|
|
|
|
-about is an [HTML form](https://developer.mozilla.org/en-US/docs/Learn/Forms#See_also).
|
|
|
|
-If one of these were embedded in a blob, they would be able to send HTTP POST
|
|
|
|
-requests to our API endpoints, impersonating the user. A button called "click
|
|
|
|
-me", could publish posts, change follow status, make changes to our settings
|
|
|
|
-page, or other bad behavior that we want to avoid.
|
|
|
|
-
|
|
|
|
-The mitigation for this is a referrer check on all POST endpoints, which helps
|
|
|
|
-us guarantee that all form submissions came from a non-blob page. If we receive
|
|
|
|
-an HTTP POST without a referrer, we throw an error. If we receive a referrer from
|
|
|
|
-a blob page, we throw an error. If a form submission passes these two checks,
|
|
|
|
-we can safely assume that the POST request came from a legitimate person using
|
|
|
|
-Oasis.
|
|
|