0

I'm participating in a discussion on Quora where I argue that browser security means that JavaScript, ActiveX, and even Java applets, aren't allowed to act as torrent clients, even with the end user's permission. More specifically, I would think that opening a listening port would be something that a browser can't or shouldn't do.

Additionally, although websites CAN store data for offline storage, it shouldn't be a large enough amount to hold an entire movie or other large file.

I realize that jstorrent.com is a pure JavaScript torrent client for Chrome, but I'm arguing that it only works because Chrome itself supports magnet links and thus has a "built-in" torrent client.

How accurate is my argument?

I realize that there may be ways to create a torrent client without opening a listening port, but the primary statement I'm hoping is false is "With permissions granted by the user, a web app can do almost anything a non-web app can". Is this now true? I'm pretty sure it didn't use to be.

Anders
  • 64,406
  • 24
  • 178
  • 215

2 Answers2

1

You are wrong as far as assuming how jstorrent.com works. So I will elaborate a little on that first.

With jstorrent.com you are required to install it as a Chrome extension. Yes, it is only written in JavaScript. But as an extension it is no longer restricted to the sandbox environment it is in. It now has access to powerful APIs that allow it to access your filesystem and more. It also doesn't have the limitations that you would have with storage sizes and more. Additionally Chrome doesn't have a built in torrent client. These are implemented in the extensions. And jstorrent.com cannot possibly run at all as a regular website as a non extension.

JavaScript itself minus a few exploits in the past it is by far the safest browser scripting language available. Browsers intentionally try to lock it down and sandboxed as possible. Where things like ActiveX, Java applets, and Flash APIs are not completely sandboxed and a browser has limited control of them. But you can bypass this JS sandbox such as using a Chrome extension or using an application built with Electron which intentionally removes restrictions to allow expanded application development not possible through a regular web browser experience.

So could another browser support a JS torrent client? If they have an extension system or allow mods to bypass sandbox restrictions then absolutely. Firefox has a torrent client extension as well.

However both have separate APIs and separate ways of doing things. You would be looking at a lot of work to get jstorrent.com on Firefox or another browser.

So in closing, Chrome is not doing anything out of the box to risk your security. You are as soon as you are opting in to install an extension with elevated privileges. And yes, a torrent client could be made in the same way for any browser that has an extension system with the desired APIs available.

Edit: It is worth mentioning there are a few solutions out there where an application runs on your machine and acts as the client. Using web sockets they can transmit that data to a torrent client front end coded only in JavaScript and no extensions required. However, it is important to know the sandbox at this point is bypassed with the installed agent and not the web browser.

Bacon Brad
  • 3,340
  • 19
  • 26
0

The expectation is that a browser is sandboxed and not allowed to have free access to the system so that a web app can't "do anything a non-web app can". However, there have been many sandbox escapes found, published (and fixed) and you could argue that users can install add-ons and add-ons can vastly expand what a web app can do. Yes there are add-ons that can open ports. So, the statement is not false. Do a search for "Java Applet Torrent Client" and Firefox Torrent Extension and you will see many products. I don't think this is any more or less true now that it used to be. Check out the reaction to this Firefox bug report.

For your specific argument that add-ons can't open ports, here is someone posting code to do this in Firefox: https://stackoverflow.com/questions/28326301/tcpsocket-listen-on-firefox-addon

The only reasonable way to sandbox a browser, then, is to use Sandboxie or another outside-of-browser sandboxing solution.

Community
  • 1
mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • For clarity the torrent client in question is coded in JavaScript using the Chrome extension APIs. There is no relation between JavaScript and Java. They are both completely different beasts. I believe the OPs concerns are centered around JavaScript. – Bacon Brad Sep 01 '16 at 21:19