English  |  Italiano 

Unofficial WebKit CORS vulnerability patches

This document presents a set of unofficial and provisional patches for the WebKit engine to configure a web browser in a way that avoids the CORS vulnerability. CORS is an acronym which stands for Cross-Origin Resource Sharing. It was originally introduced by W3C as a "functionality enhancement", however its benefits do not outweigh its costs in terms of security and privacy compromise and such vulnerability probably represents one of the worst in the history of computing.

When CORS is enabled, a web browser is allowed to load resources from origins (hosts) that are different from the origin of the user's request (the host that appears in the browser's address bar). Therefore, when CORS is enabled, untrusted resources can be loaded by the browser, thus allowing a very dangerous form of browser hijacking (such resources are untrusted because trust is not a transitive property)!

If you want to learn more about the dangers posed by the CORS vulnerability, then please read a few exploitation examples.

The following patches represent a possible countermeasure for the CORS vulnerability:
- patch for the stable 2.44.x WebKit releases;
- patch for the stable 2.42.x WebKit releases from 2.42.5;
- patch for the stable 2.42.4 WebKit release;
- patch for the stable 2.42.x WebKit releases up to 2.42.3;
- patch for the stable 2.40.x WebKit releases;
- patch for the stable 2.38.x WebKit releases;
- patch for the stable 2.36.x WebKit releases;
- patch for the stable 2.34.x WebKit releases;
- patch for the stable 2.32.x WebKit releases;
- patch for the stable 2.22.x WebKit releases (untested);
- patch for the stable 2.20.x WebKit releases (untested);
- patch for the unstable 2.19.x WebKit releases;
- patch for the stable 2.18.x WebKit releases;
- patch for the WebKit (Chromium) shipped with Android 4.4 (KitKat).

Please note that, when loading some web documents with CORS disabled, there might be a loss of functionality (for example, some or all images might not load). This is absolutely normal and it proves that the countermeasure is effective as the browser is not loading content from untrusted providers.

The WebKit patches listed above are configurable when combined with a patched browser which can handle the new settings (otherwise they always disable CORS). Here are patches for the default Android web browser and for other three selected browsers, epiphany (Linux/Gnome), Zirco (Android) and Orweb (Android):
- patch for the stable epiphany releases (3.32.x);
- patch for the stable epiphany releases (3.30.x);
- patch for the unstable epiphany releases (3.27.x);
- patch for the stable epiphany releases (3.26.x);
- patch for the default Android web browser;
- patch for the Zirco browser (version 0.4.4);
- patch for the Orweb browser (version 0.7).

You might want to combine these patches with a patch to prevent search-engine tracking through search query URL-tampering.

All the patches listed above can be applied with the command "patch -p1". They are free software, provided "as is", in the hope that they will be useful, but WITHOUT ANY WARRANTY.

Most people probably want to keep their browser configured as follows:
- select option "Disable CORS";
- select option "Enable CORS within the same domain";
- do not select option "Disable CORS Redirection".

One last tip: before rebuilding the patched browser on Android, you should first install the modified Android SDK that can be built with "make update-api ; make PRODUCT-sdk-sdk". And if you get an error while building the SDK which complains about missing tools, then reinitialize and synchronize the repository with the following commands:
"repo init <original_repository_arguments> -gall,tools ; repo sync"
Once the modified SDK has been compiled, it will be available in out/host/linux-x86/sdk. Update the SDK Manager preferences in Android Studio with the new SDK location and finally start rebuilding the modified Zirco or Orweb browser. Be careful not to let Android Studio overwrite the new SDK with updates from the network !

A free pre-built hardened Android distribution which contains this patch and many other security and privacy fixes and features is now available: hardened Android 4.4.4 KitKat for the Sony Xperia E3 devices.

If you are using Mozilla Firefox instead of a WebKit-based browser, then you can find similar functionality with complete configurability in the requestpolicy extension.

Useful Readings

- Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication, G Meise, P. Laperdrix, B. Stock. ACM ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, May 2021

- We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS, J. Chen, J. Jiang, H. Duan, T. Wan, S. Chen, V. Paxson, M. Yang. Proceedings of the 27th USENIX Security Symposium, August 2018

- The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading, M. Ikram, R. Masood, G. Tyson, M. A. Kaafar, N. Loizon, R. Ensafi. ACM WWW '19: The World Wide Web Conference, May 2019

- Security of CORS on LocalStorage, N. Zhu. IEEE 2021 International Conference on Internet, Education and Information Technology (IEIT), April 2021

- It's More Than Stealing Cookies - Exploitability of XSS, K Nirmal, B. Janet, R. Kumar. IEEE 2018 Second International Conference on Intelligent Computing and Control Systems (ICICCS), June 2018

- Protecting browser state from web privacy attacks, C. Jackson, A. Bortz, D. Boneh, J. C. Mitchell. ACM WWW '06: Proceedings of the 15th international conference on World Wide Web, May 2006

- Protecting browsers from cross-origin CSS attacks, L-S. Huang, Z. Weinberg, C. Evans, C. Jackson. ACM CCS '10: Proceedings of the 17th ACM conference on Computer and communications security, October 2010

- XSS Attacks: Cross Site Scripting Exploits and Defense, S. Fogie, J. Grossman. Syngress Publishing, May 2007. ISBN: 978-0-08-055340-5

- Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers, C. Karlof, U. Shankar, J. D. Tygar, D. Wagner. ACM CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, October 2007

Copyright © 2017-2024 Guido Trentalancia. All rights reserved.