ubuntu-phone team mailing list archive

Thread
Date

Re: webapps and script injection

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Ted Gould <ted@xxxxxxxxxx>
Date: Mon, 13 Apr 2015 16:00:52 -0500
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAIAAADYYG7QAAAAA3NCSVQICAjb4U/gAAAQqElEQVRYw5VYaZBcV3U+59779t6XmWlpRjMaeUarLdkWVlBYbAwCmyKxK9gVQjDgBJOqJJgUUEkqrgqhKiyhSDkmVYYEsCoBnARSxIBtJY4TFhtLMpa1WLs0izRr9/Teb3/3nvxoYSyZaDnVv7pP9fneWb7vnIfJ0q2NVlwq6AiXMyKYWwzvf+C44WW+/PnPaJxHvguIXDeFaQIAKWCcE6mw3QjdDsUxqMROZZRM4jDsNWpeFJ9dqP7Ft/ZEQWAJhgDvekfhK49uwIsDM8bg0cfmu73ksnjg9JT37vceOnbc/6Pfuw9lHIcBco3rppHK6HbacDJWtmCkskYq6wwOZ1atTVXWMKGHXk8ppZQERKHi8YLzjo0jgoGfqAU3+t5/1s/NBpcEYkCwZaOjicsnCPb8d6O+GP/WrrdOjFRIETCOnBmpjG6nuBBc01FwruvCtI10TnfSRjqnp7JJEidRKOMIEZMkkUkcEeiMaQwqju5F8pF/mCOiiwARQbUWM3YFQK1WbNvWh97zdgAkRGRMM22u6UQABACIBCqOkDGu6ZqVYpqmp3MATCYxAAACYwyI7nvzVk0wSQBEBZM/8d1ao5VcnCGEwQHd9SRcwfDeO9+RtS1CZFxjQmNcIOMABIwjMkAARJXEiMh1gwmdmxZqmpIJMgYAXAgAsDRezqYVgS8pVlA0ec+9KDTzfTU963N2BTjV5ehNWzcoQMY40wRjHBlDRERkXAAiKQLoZwuYEMg449xwMsg4KYWMXXAjGKkMuLHSGKY01ospCNVFgFxPjq2xbFtcHlDTlZV8GhC5bgABcoaMI2fAeL9cQAoAALH/YZwTEZECUkopZJwxzhgjIEsTBZNLAgDIG9z3LwZULmpz80Ecq8sDGhvOm4IzzgEudBvXdQDGuUAAUooAEBkyBsgQGeNchqEMw ySOlUwY54jIOAeAkws1RTDkiG6k8iaX8qKmFlLC9ZtTl3z7enO0DBMaAJKSgICMMSYYY4BISpJSjLF++ZgQpJRKktjvqThExhBACC1miIwDxbYm3ERxP6k4wk8U5xeP/XItXK5FpnmFJiJwkAtkDBCBCPrTxRgAKJkwxvr1YpoOACqOg3bDb64oGQMRACIyxjjjnIBKGZuINI41XyJANqtdBGhVxbjrjrIm2GVpmmSkM86FbgKAUupVmAR9cAjImGYwockoDLstr1FNQi8Jg35fESmh64jIEIfzaUfjsaS8yQHBMi4KzRDQ1K+YHlSJppSEC+FBxjEAkZJAhFwAAtN0phsyCmOv5zeWg3YDiBTXdDsFAIwL3XKICBFTpt4MEp0jAiQKLOui6AKuwpQiwXTNMBGBca6klEmspORMAADTDERELihJ4tDzmyvt6sK+wyeqHdexjJRllky+dsTRlEJAQKZxlASznWjQ0Yo54dj8mgFJRT1P+glJv8u5QMYkQYqIZEJEjHFkmkriJPTDduPwgRcPHDs5WhncsWXSsiwgCtxetdkuGsi4QMQd45XhQmah2fYTGtxg/WRva3S1OT5mIuBVASIi31cr9XZjeSnnmMBFiKwX08rJU5vGR0FopGQcx4qUisO508fbne49t+3ULbsbJWGiGMDqoUHpd1tL84xzxpkmxNqBXLXVLZh8/qz1s8cL36guPfwVUSwIBLxS9xCcmQn2/E89l3Xy+WyQyG4QJXGS1jAnqFVdTForUWMpaq8k3eaxI4dnlld0yz653Dw6fb7baokkMDQ+V2vMVptT1RYiMC4iqUZLWQW07Kv733LDz8+cv2l07LHHl4CuIkO1erT7XxZ3viGrC8ux7ZRtd1zPYAAycaWMInZueUoJPVQko+jQsZMmh11vvLnZ6VVbndmlHnFRGRiYXFNx67KxRAtt99mXT+w/OX3LuuFIwb07N52YW75+ZKCUcV6awV+I62WtkNfWX2 crRSnL7LjeZ3b/+74l/6F/+sFje36a1kUhZR06M12rrYhUPgiDqemp9UXr2JnpJ/a9ciiw/nnvyW//+MD+c7Xp2XOcC59bUw1/w8jgZ++57W2bxkjRltXFhUZ308jg/ErL4hYgXTlDguPtb8r7oTqxjw8V85/84D1WcWhIi9rLi1NzCxsn1m0aGxmfmMxNbu2eGzh38qjBOVnWnds3EtHOd95km3om5TiZrOmk3+hkDQbVmdPdelXEScExz1cb1w3ms7YZLLeNTAAEgFfR1OWydvBIz9QEEBVN4S2eWZc1ZXlLZe11DFRydsrKFhljmhA5xwaA0dWVwvBaikPiGjAuOAdSlMRttz5cLl7QO6Jbxgc7XvDKQv2midGltvvARzNwlVOmC9btyiAMqx2PWWmyimQzoRtulBiJX8qmhJMmqUDJcqlw/Pz8eU+tikSuVLZ1YAIplomUKUPPpdOIKHQdACzOHrx965nlVuvkQt0NzYJ30/WF/nJ9VTwUhGqokBsq5rRsiQkNGScAFXorp6bTuTxPZUhJSqKxteOmirnQClqiG0JyIZPYFKyYTaFKEtsEAM0wgYBIKkVPHpnxJRQyzuSa8DUb41VYrR7bpgHqwsZDpFTgukvnvE7LzA9w3VKhTwSpQjnmRiJ0igIj7JYsMVQu5vN5BKVCv09pF6ifCIgsXdx50+SPj03f/e4iIl4DoNm5YCCXJlKURACgQj9sVs9NT5lOOr16LcmEpGS6gYjZlB0R1vyk1+32lufC+lLidREQGAMCUiry3P5yDQjbRso7148Fdq0yoF+DdBDR7PlwYIsFBBRHJKK421iaP9/xo3JJUBJLpZAxZCz03CQMBrK5JnDSjIVq3azXc7mckcpwLpSS7eX5OAoQGSKudP31lVI3ikevU/ia2+wqegghdDVIYgBKAi/stpbqTSedKwHv9NzU0qyZLZBSfqv+7HMv/PTg8U/97l3jQ8OmYRRy2UajsbzSkEvVocF yEgah5wIgAfXCJEhUKq2db/RueFP6GsWVkKQW+j2v3URktXZnvuW98fr16XRqfrl26tTpUsaWfm/fkRPz9c7H3393cfUIEwIAEKBYKBQKBZLy3FK17Jiom6q+jL1OECenV7ot1JbU4v23Fa4REIJSOhea2262E6y54c4btyAXnInx63JEML+wsNx0r795x2+sHuK60acTUhKUjMLw6NTs1olx0zSdXKHrusgFACRKtYP4ww+0h1fnOMdrzRD0gtCwUzKOZmuNXbe+RaSyyDggAHIAGHMyI2vWkFKdnusAY0gAuNDs7Nl76OHHvvUHd79r24aJgXIJSCEpBqSUIoJuEBmGmbIvnaqr4iHinaYXpAVunRyXUfDED55/5fTUrW97m+DC87zY70nd1nIDxaFVnWo9CUNgbGRs4/Z3rcXd3/7wXe/U8wPIWNxpil5XJgkpBYyHPv+bz7UefbRyzYAQ4ZabUs8fPXvHjZNZxwIlb79x4zPPv2hWxm/f9U5EfP1UAsChQ4c++5cPffOv/zRbWcM0g0gBQBL6KkniONYE73oUv1h54un2b96Rfe1/XBUP3fn2wrMvHeVCS6IIAG3HefgTH3nxyX/7+0ce6XZar9IdERHRsWPH/uwTf/Lk1x75x4c+dvMtO5hm9Kkrdjth4EWhv9DszDW79boazJS/9iU2v5hcc8luviG90D7sx1LEkbBT3Eolbucj73n7wkrjkT//uEwVnOIQ07Tpqen6wrnt46sefM/t6XwBhYEXFkCKu02v3ZBRHHo9wdi/Pn9yMnODruvr7Rv/+FNPP/6NdeYvbo+rAsQYvv/e4lMvHr73rTukUoJzLZ0nGa8qFz56967+YeQGkVp/S6n0bqbryDVA3r/8AUBGgQy90O1Fvhv4/sHZZXTzelbjnOuaNnUk/bFPzn31kRFAxKssGQA8cF/lmYN7lSKvtqiiEBjTc2VuOv0xZAzzxdLAqmFu2cg1QLzw2qFfxzgMel0p k167EUTJd184O5EZ7f/a892cnl44MPqlRy+8KGJXIx2npryvf3OxueK9cPR07Lt+bUFFATCu5wfMwVG9OKTnh7iTRS76iemfqhcaXMnY7bqdlttqyDh+fO/xcWNCQN8NFlrLA1ZxPDvy1O6Be+4/sVgNxa9c7AGh15M/2dv60U/bLz3HkkZpTXpTKWh8c8++X1s/6nVamu3ouTIKHRGR2f3rkYAAiPpLAQNABkRxr9mtLiwuLomwO7Xceul4d0fxuv70ImLDb60SZSXlltJE4/zArbv2/gpA3V7y8FcX/vf7hukVSvrYeieFZey4Xd3SvaXkez87eNfOrUG7wa0U6hYyBlKSjJSU2NcL5ChEH03Sa/iN6v6DRwYNarvBF5/Yvy23DX9JKMgYE4x3O13LsQtG7o41d4rXF+i+j8xkqtsnuBYZse3YjDGv5y6GK1sGJ5uyufs7+zaPViaRCaOKXAg7A5wjt7lSpCSQQuSACKTizkrYbjy37yUrcWPAz/7Hz8a1DSY3+lE0wYUQpmbEIDViXs8lolwhzy4WCfrhf9WDmXEbjSiMbMfmnPuev+jVRkvDXs8Foq2ZjQ89+v1aq3tu9lzYWI57TUpikBKAEBkyAQgq8sOVBb9Re/a5F1Rnxebw8NM/t93VRT3b71zLsmzHmWnOtXptoZALnkqnDMMIguCSpsbvPtEYTVV8zzdtSwgRBmEURUqjvJHlQmiaJpBX5KoH/na3G4Rnz05FzVrSbanIpyQmlag4jNsr3tJsY37mO089Y/jtosG++OS+5oKzyh4gIGTMSTnc1PYvHur2uhOpUdtxUum0bhiIGHi+eG0vn18Mju23NxuhpmuapiVJEgYBAjbc1mz9fCUzoOtat9PN6unZ5ZUvPP7k79x6M5PRQKmkOWluWCCTJPBkHB07O33glePbhjIyjj79w58Hjdzm7Boi4pzbKacnvSPzJzek1jq6bZiGEAIRoyjyXE9KhVS9rQ9osRq97 wOzqzrbdBSpTBoRe52uUqo/Od3YOx8s3VjZbDCt0+k+7+/f8+VPf/7rj5dMHB8o6KbJuCAA1/NUkpRtUdbh4Ozy3z1zcFhbN5kZJSLd0C3bnu7MdfzeZHqNbhiapjHGZCJ9z4uiiAh/wRYAtUb8vg/OrPG3C2CmZSJi4AdSyv7cMGQFK3vj4OZDteOMc0Ao5zOFTPpzD96vObkzS/W4184pd0SLNmXF5oJeFEop9fThxUlz80R6FABsxzYd++XqMUpoU37csm1d1xHR97x2qxVFUV/FAUAQwVIt+u0PzIxFOyCWjHNN16WUURi+VslbsldrN9cVxsIgiGWybngIEDgXH7/vvfWVlQNHTxyZnq23OwLBMrS1lYGn95223ZGCnWGCW7YVQfLi/IH1mbV5OyuEYIxFUeS7Xv+ZLxJX15P3/f7MhPp1SmRMZBgGEfme13/b9apfI2xtLk9QJH3f78XujrXDBISAiFgql3e9tQS3vllJqZQ8fGr6C195siJHcmlDaELT9XbUPbx4Yvvg9aZhcM6JyO31wiC8JMQFQB/6wzOrvO2CmJ+EjDEuRBSGMpGXuOaMbNWtDxh5BGzHvQ1jI68nsJdPTT/1o5enjnQmUusRURe6JsR8Z+lsdWbHqq2GbiBiHMdez5VSviq9lwKi0xttO+W5LhEJTZNShkH4eteM7iz4tUGzCACNqL15fA3CL316fvDgX+2emVuJZGww/VxjwY08XwZ5O1exym9YvU0IDgCe64ZB2Ofo/086/w8ui/QHSH/HJAAAAABJRU5ErkJggg==
In-reply-to: <552C0D6E.4000701@curiouslegends.com.au>

On Tue, 2015-04-14 at 04:39 +1000, Mitchell Reese wrote:

> Another question re security for webapps - url-dispatcher. Whilst I'm 
> loving using this, it's also clear how easy it is to create a webapp 
> that redirects traffic from other places, such as scopes. While I'm 
> making a point of listing when I use this (and telling users not to 
> install the app if they want to view said content in their browser), 
> there's currently no requirement to do this. Sure, users can simply 
> uninstall an app if it's giving them problems, but it seems that it 
> would also be easy to create a malicious app that 'redirects' lots of 
> urls, and potentially injects scripts into them from there. Even without 
> script injection this could be annoying...
> 
> Are there any processes in place to stop this from happening?

You can uninstall the app :-)

While we don't have it spec'd yet, I'd expect that when we allow
multiple people to register for a URL and we have to choose between them
we'll also allow for a default handler. So probably the first time on a
webapp you'd get the webapp and the browser, then you could choose to
default to the webapp. Currently this is decided by the "most specific"
entry, but we're going to have to give more configuration to the user
there eventually.

Ted

References

webapps and script injection
From: Alan Bell, 2015-04-10
Re: webapps and script injection
From: David Barth, 2015-04-13
Re: webapps and script injection
From: Alexandre Abreu, 2015-04-13
Re: webapps and script injection
From: Mitchell Reese, 2015-04-13