This document presents a set of
unofficial and provisional patches for the
WebKit
engine to configure a web browser in a way that avoids the CORS vulnerability.
CORS is an acronym which stands for Cross-Origin Resource Sharing. It was originally
introduced by
W3C as a
"functionality enhancement", however its benefits do not outweigh its costs in terms
of security and privacy compromise and such vulnerability probably represents the worst
ever introduced since the Web service was created and one of the worsts ever created
in the history of computing.
When CORS is enabled, a web browser is allowed to load resources from origins (hosts)
that are different from the origin of the user's request (the host that appears in
the browser's address bar). Therefore, when CORS is enabled, untrusted resources can be
loaded by the browser, thus allowing a very dangerous form of browser hijacking (such
resources are untrusted because
trust is not a transitive property)!
If you want to learn more about the dangers posed by the CORS vulnerability, then
please read a few exploitation examples.
The following patches represent a possible countermeasure for the CORS vulnerability:
-
patch for the stable 2.42.x WebKit releases;
-
patch for the stable 2.40.x WebKit releases;
-
patch for the stable 2.38.x WebKit releases;
-
patch for the stable 2.36.x WebKit releases;
-
patch for the stable 2.34.x WebKit releases;
-
patch for the stable 2.32.x WebKit releases;
-
patch for the stable 2.22.x WebKit releases (untested);
-
patch for the stable 2.20.x WebKit releases (untested);
-
patch for the unstable 2.19.x WebKit releases;
-
patch for the stable 2.18.x WebKit releases;
-
patch for the WebKit (Chromium) shipped with Android 4.4 (KitKat).
Please note that, when loading some web documents with CORS disabled, there might be a loss
of functionality (for example, some or all images might not load). This is absolutely normal
and it proves that the countermeasure is effective as the browser is not loading content
from untrusted providers.
The WebKit patches listed above are only effective when combined with a patched browser which
can configure the new settings. Here are patches for the default Android web browser and
for other three selected browsers,
epiphany (Linux/Gnome), Zirco (Android) and
Orweb (Android):
-
patch for the stable epiphany releases (3.32.x);
-
patch for the stable epiphany releases (3.30.x);
-
patch for the unstable epiphany releases (3.27.x);
-
patch for the stable epiphany releases (3.26.x);
-
patch for the default Android web browser;
-
patch for the Zirco browser (version 0.4.4);
-
patch for the Orweb browser (version 0.7).
All the patches listed above can be applied with the command
"
patch -p1". They are free software, provided
"as is", in the hope that they will be useful, but WITHOUT ANY WARRANTY.
Most people probably want to keep their browser configured as follows:
- select option "Disable CORS";
- select option "Enable CORS within the same domain";
- do not select option "Disable CORS Redirection".
One last tip: before rebuilding the patched browser on Android, you should first install
the modified Android SDK that can be built with "make update-api ; make PRODUCT-sdk-sdk".
And if you get an error while building the SDK which complains about missing tools, then
reinitialize and synchronize the repository with the following commands:
"
repo init <original_repository_arguments> -gall,tools ;
repo sync"
Once the modified SDK has been compiled, it will be available in out/host/linux-x86/sdk.
Update the SDK Manager preferences in Android Studio with the new SDK location and
finally start rebuilding the modified Zirco or Orweb browser. Be careful not to let Android Studio
overwrite the new SDK with updates from the network !
A free pre-built hardened Android distribution which contains this patch and many other security
and privacy fixes and features is now available:
hardened Android 4.4.4 KitKat for the Sony Xperia E3 devices.
If you are using Mozilla Firefox instead of a WebKit-based browser, then you can find similar
functionality with complete configurability in the
requestpolicy extension.