This document presents a set of
unofficial and provisional patches for the
WebKit
engine to configure a web browser in a way that avoids the CORS vulnerability.
CORS is an acronym which stands for Cross-Origin Resource Sharing. It was originally
introduced by
W3C as a
"functionality enhancement", however its benefits do not outweigh its costs in terms
of security and privacy compromise and such vulnerability probably represents one of
the worst in the history of computing.
When CORS is enabled, a web browser is allowed to load resources from origins (hosts)
that are different from the origin of the user's request (the host that appears in
the browser's address bar). Therefore, when CORS is enabled, untrusted resources can be
loaded by the browser, thus allowing a very dangerous form of browser hijacking (such
resources are untrusted because
trust is not a transitive property)!
If you want to learn more about the dangers posed by the CORS vulnerability, then
please read a few exploitation examples.
The following patches represent a possible countermeasure for the CORS vulnerability:
-
patch for the stable 2.44.x WebKit releases;
-
patch for the stable 2.42.x WebKit releases from 2.42.5;
-
patch for the stable 2.42.4 WebKit release;
-
patch for the stable 2.42.x WebKit releases up to 2.42.3;
-
patch for the stable 2.40.x WebKit releases;
-
patch for the stable 2.38.x WebKit releases;
-
patch for the stable 2.36.x WebKit releases;
-
patch for the stable 2.34.x WebKit releases;
-
patch for the stable 2.32.x WebKit releases;
-
patch for the stable 2.22.x WebKit releases (untested);
-
patch for the stable 2.20.x WebKit releases (untested);
-
patch for the unstable 2.19.x WebKit releases;
-
patch for the stable 2.18.x WebKit releases;
-
patch for the WebKit (Chromium) shipped with Android 4.4 (KitKat).
Please note that, when loading some web documents with CORS disabled, there might be a loss
of functionality (for example, some or all images might not load). This is absolutely normal
and it proves that the countermeasure is effective as the browser is not loading content
from untrusted providers.
The WebKit patches listed above are configurable when combined with a patched browser which
can handle the new settings (otherwise they always disable CORS). Here are patches for the
default Android web browser and for other three selected browsers,
epiphany (Linux/Gnome), Zirco (Android) and
Orweb (Android):
-
patch for the stable epiphany releases (3.32.x);
-
patch for the stable epiphany releases (3.30.x);
-
patch for the unstable epiphany releases (3.27.x);
-
patch for the stable epiphany releases (3.26.x);
-
patch for the default Android web browser;
-
patch for the Zirco browser (version 0.4.4);
-
patch for the Orweb browser (version 0.7).
You might want to combine these patches with a
patch to prevent search-engine tracking through search query URL-tampering.
All the patches listed above can be applied with the command
"
patch -p1". They are free software, provided
"as is", in the hope that they will be useful, but WITHOUT ANY WARRANTY.
Most people probably want to keep their browser configured as follows:
- select option "Disable CORS";
- select option "Enable CORS within the same domain";
- do not select option "Disable CORS Redirection".
One last tip: before rebuilding the patched browser on Android, you should first install
the modified Android SDK that can be built with "make update-api ; make PRODUCT-sdk-sdk".
And if you get an error while building the SDK which complains about missing tools, then
reinitialize and synchronize the repository with the following commands:
"
repo init <original_repository_arguments> -gall,tools ;
repo sync"
Once the modified SDK has been compiled, it will be available in out/host/linux-x86/sdk.
Update the SDK Manager preferences in Android Studio with the new SDK location and
finally start rebuilding the modified Zirco or Orweb browser. Be careful not to let Android Studio
overwrite the new SDK with updates from the network !
A free pre-built hardened Android distribution which contains this patch and many other security
and privacy fixes and features is now available:
hardened Android 4.4.4 KitKat for the Sony Xperia E3 devices.
If you are using Mozilla Firefox instead of a WebKit-based browser, then you can find similar
functionality with complete configurability in the
requestpolicy extension.
Useful Readings
-
Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication, G Meise, P. Laperdrix, B. Stock. ACM ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, May 2021
-
We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS, J. Chen, J. Jiang, H. Duan, T. Wan, S. Chen, V. Paxson, M. Yang. Proceedings of the 27th USENIX Security Symposium, August 2018
-
The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading, M. Ikram, R. Masood, G. Tyson, M. A. Kaafar, N. Loizon, R. Ensafi. ACM WWW '19: The World Wide Web Conference, May 2019
-
Security of CORS on LocalStorage, N. Zhu. IEEE 2021 International Conference on Internet, Education and Information Technology (IEIT), April 2021
-
It's More Than Stealing Cookies - Exploitability of XSS, K Nirmal, B. Janet, R. Kumar. IEEE 2018 Second International Conference on Intelligent Computing and Control Systems (ICICCS), June 2018
-
Protecting browser state from web privacy attacks, C. Jackson, A. Bortz, D. Boneh, J. C. Mitchell. ACM WWW '06: Proceedings of the 15th international conference on World Wide Web, May 2006
-
Protecting browsers from cross-origin CSS attacks, L-S. Huang, Z. Weinberg, C. Evans, C. Jackson. ACM CCS '10: Proceedings of the 17th ACM conference on Computer and communications security, October 2010
-
XSS Attacks: Cross Site Scripting Exploits and Defense, S. Fogie, J. Grossman. Syngress Publishing, May 2007. ISBN: 978-0-08-055340-5
-
Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers, C. Karlof, U. Shankar, J. D. Tygar, D. Wagner. ACM CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, October 2007