English  |  Italiano 

Unofficial WebKit CORS vulnerability patches

This document presents a set of unofficial and provisional patches for the WebKit engine to configure a web browser in a way that avoids the CORS vulnerability. CORS is an acronym which stands for Cross-Origin Resource Sharing. It was originally introduced by W3C as a "functionality enhancement", however its benefits do not outweigh its costs in terms of security and privacy compromise and such vulnerability probably represents the worst ever introduced since the Web service was created and one of the worsts ever created in the history of computing.

When CORS is enabled, a web browser is allowed to load resources from origins (hosts) that are different from the origin of the user's request (the host that appears in the browser's address bar). Therefore, when CORS is enabled, untrusted resources can be loaded by the browser, thus allowing a very dangerous form of browser hijacking (such resources are untrusted because trust is not a transitive property)!

If you want to learn more about the dangers posed by the CORS vulnerability, then please read a few exploitation examples.

The following patches represent a possible countermeasure for the CORS vulnerability:
- patch for the stable 2.42.x WebKit releases;
- patch for the stable 2.40.x WebKit releases;
- patch for the stable 2.38.x WebKit releases;
- patch for the stable 2.36.x WebKit releases;
- patch for the stable 2.34.x WebKit releases;
- patch for the stable 2.32.x WebKit releases;
- patch for the stable 2.22.x WebKit releases (untested);
- patch for the stable 2.20.x WebKit releases (untested);
- patch for the unstable 2.19.x WebKit releases;
- patch for the stable 2.18.x WebKit releases;
- patch for the WebKit (Chromium) shipped with Android 4.4 (KitKat).

Please note that, when loading some web documents with CORS disabled, there might be a loss of functionality (for example, some or all images might not load). This is absolutely normal and it proves that the countermeasure is effective as the browser is not loading content from untrusted providers.

The WebKit patches listed above are only effective when combined with a patched browser which can configure the new settings. Here are patches for the default Android web browser and for other three selected browsers, epiphany (Linux/Gnome), Zirco (Android) and Orweb (Android):
- patch for the stable epiphany releases (3.32.x);
- patch for the stable epiphany releases (3.30.x);
- patch for the unstable epiphany releases (3.27.x);
- patch for the stable epiphany releases (3.26.x);
- patch for the default Android web browser;
- patch for the Zirco browser (version 0.4.4);
- patch for the Orweb browser (version 0.7).

You might want to combine these patches with a patch to prevent search-engine tracking through search query URL-tampering.

All the patches listed above can be applied with the command "patch -p1". They are free software, provided "as is", in the hope that they will be useful, but WITHOUT ANY WARRANTY.

Most people probably want to keep their browser configured as follows:
- select option "Disable CORS";
- select option "Enable CORS within the same domain";
- do not select option "Disable CORS Redirection".

One last tip: before rebuilding the patched browser on Android, you should first install the modified Android SDK that can be built with "make update-api ; make PRODUCT-sdk-sdk". And if you get an error while building the SDK which complains about missing tools, then reinitialize and synchronize the repository with the following commands:
"repo init <original_repository_arguments> -gall,tools ; repo sync"
Once the modified SDK has been compiled, it will be available in out/host/linux-x86/sdk. Update the SDK Manager preferences in Android Studio with the new SDK location and finally start rebuilding the modified Zirco or Orweb browser. Be careful not to let Android Studio overwrite the new SDK with updates from the network !

A free pre-built hardened Android distribution which contains this patch and many other security and privacy fixes and features is now available: hardened Android 4.4.4 KitKat for the Sony Xperia E3 devices.

If you are using Mozilla Firefox instead of a WebKit-based browser, then you can find similar functionality with complete configurability in the requestpolicy extension.

Copyright © 2017-2023 Guido Trentalancia. All rights reserved.