2

Same origin policy protects us from malicious site manipulating the data on our trusted site by not allowing requests that would send the auth cookie e.g. But if I understand correctly images, scripts, etc. are an exception from that rule.

See e.g. here:

A web page may freely embed images, stylesheets, scripts, iframes, videos.Certain "cross-domain" requests, notably AJAX requests, however are forbidden by default by the same-origin security policy.

Does that mean that if I have a "secret image" on Facebook (or any other resource with cookie session auth) any malicious site that I accidentally visit will be able to load that image in a hidden tag e.g. and read it? They should definitely know the url, but for many sites it can be as easy as guessing ids (or enumerating them 1,2,3...).

This does not sound any secure to me. Am I missing a point here? Seems that auto-sending of cookies for all requests and cookies in general is just evil for security (not for the ads though that are hugely based on this "nice" feature if I remember correctly).

It should be even worse for iframe (if you can embed and read data from a bank iframe e.g.), so it has to be protected somehow.

Anders
  • 64,406
  • 24
  • 178
  • 215
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
  • 1
    You can display images from external sources, but unless they include the CORS tags you won't be able to process them (like get the pixel data) through javascript. – SztupY Oct 27 '16 at 09:01

1 Answers1

3

Does that mean that if I have a "secret image" on Facebook (or any other resource with cookie session auth) any malicious site that I accidentally visit will be able to load that image in a hidden tag e.g. and read it?

You are correct until the last two words. Yes, any site you visit can load the secret image into your browser. But it can not read it (unless e.g. Facebook have a CORS policy allowing it).

To read the pixel values from an image with JavaScript you would need to do something like loading it into a canvas and then using getImageData() or similar. However, when you load a cross origin image into a canvas the canvas gets "tainted", and those functions are blocked. This is to prevent the kind of risk you are talking about. (Read more about it on Mozilla.)

So all the malicious site can do is load the image into your browser where only you, not them, see it. And thats not very useful.

There are similar protections in place for e.g. iframes. While evil.com can display bank.com in an iframe, JavaScript loaded by evil.com can not read any data from inside the iframe. So all the attackers can do is display your account balance to you. And that is what the SOP is all about.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • Sounds like an enormous amounts of tricks for browsers to prevent instead of just disabling cross-domain cookies :) – Ilya Chernomordik Oct 27 '16 at 09:33
  • @IlyaChernomordik I agree that is complicated, and in hind sight there would probably have been a better way to do it. But cross-site cookies has some legitimate use cases so just banning them would be problematic. However, there is work on the [same site cookie](http://security.stackexchange.com/q/121971/98538). – Anders Oct 27 '16 at 10:41
  • 1
    Be aware of things like [Pixel Perfect Timing Attacks](https://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/) though. – Gabor Lengyel Oct 27 '16 at 12:34
  • "_So all the malicious site can do is load the image into your browser_" It could load it in another window or frame but that wouldn't be very useful (beyond the fact an arbitrary HTTP GET was done of course). But that isn't "all". It can put it in its own webpage, with it's all content around it. That could be extremely confusing. – curiousguy Jun 12 '18 at 20:44