2

Web App Model

Suppose I have a sensitive JS object by which I can do critical stuff. My requirement is that I would like to wrap this object entirely such that no one can access it. Here is my pattern to wrap this object.

var proxy = (function (window){
    // A private reference to my critical object (i.e. big apple)
    var bigApple = window.bigApple;

    // Delete this property so that no one else can access it
    delete window.bigApple;

    // Oooah, It's mine! I'm now eating it :)

    // Public APIs exposed globally
    return {
        doStuffWithBigApple: function (){

            // The Script element being executed now
            var who = document.currentScript;

            // Access control
            if(isLegitimate(who)){
                return bigApple.doStuff();
            }
        }
    };
}) (window);

By this code I export a public literal object named proxy so that every one can access it.

What is that isLegitimate? It is an abstract function to be implemented which decides which script elements access to which methods of my big apple. The decision is made with regard to src attribute of the script element. (i.e. their domain)

Others use this public API like this:

proxy.doStuffWithBigApple();

Attack Model

In my web app there are placeholders for advertising such that external contents including JavaScript codes could be loaded and get executed. All of these external resources eagerly would want to access my big apple.

Note: Those are added after my scripts resulting in there is no access to the original window.bigApple.

My Question

Is there any circumventing way for my security model?

Critical edges:

  • Changing src attribute at parse-time. --- Not possible, because src can only be set once.
  • Adding script element at run-time --- No problem is raised
Improve this question
2
  • Just wondering what you are trying to protect your site against - i.e. couldn't a malicious advertisers script just implement their own bigApple? Some sites load advertiser content inside an IFrame to prevent scripts inside each IFrame referencing the parent page via SOP inheritance rules. Commented Sep 27, 2015 at 8:33
  • @SilverlightFox I would not want to implement this logic in my website as I already know IFrame is a well-known method for sand-boxing untrusted scripts. My purpose is to bring this logic to hybrid mobile apps in which SOP principle might not be met. Commented Sep 27, 2015 at 9:22

2 Answers 2

Reset to default
2

Your idea of creating a proxy is good imo, however, if you have access to ES6, why not looking into Proxy? I think it does what you want out-of-the-box.

The MDN provides good examples on how do traps for value validation in a setter, etc.

EDIT :

Possible trap I have imagined :
document.currentScript is not supported in IE. So if you care about it and decide to polyfill it/use a pre-exisiting polyfill, make sure it is secure. Or it could be used to modify on the fly the external script url returned by document.currentScript and skew the proxy. I don't know if this could happen in real life tho.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

It sounds good. However I have no problem with my own proxy. My question is how can an attacker circumvent my security model. As I've check out it's still not supported by major browsers.
This seems good, as I don't think there is a way to override document.currentScript setter. It is not supported in all browsers tho. If you use a pollyfill, just check if it implements the security it needs, or it might be overriden and create a trap.
Thanks for Polyfill. It could help me.
1

This way for protecting JavaScript objects has a very significant issue which should be addressed, otherwise this way will not work properly.

MDN noted on this API that:

It's important to note that this will not reference the <script> element if the code in the script is being called as a callback or event handler; it will only reference the element while it's initially being processed.

Thus, any call to proxy.doStuffWithBigApple(); inside callbacks and event handlers might lead to misbehaving of your framework.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.