V
V
Vsevolod Rodionov2019-01-16 12:03:16
JavaScript
Vsevolod Rodionov, 2019-01-16 12:03:16

How can you authenticate global variables in browser JS?

Let's imagine that you have an API that is inserted into a page via <script src=.../>.
You need to access a lot of browser APIs - from new Function or Object.keys to subtle, Blob, WebWorker, WASM and so on. You need to make sure that variables are not spoofed, not wrapped in Proxy, and so on. This can be done by another script or browser plugin.
Additional known conditions and limitations:
- you have full control of the server response - headers, statuses, response body, etc
- the script is not loaded in anonymous mode (you can work with cookies when loading the script)
- you can force the developer who inserts your script into the page to do any additional actions that do not break his site (add or change headers, add arbitrary code to the page, etc.). But it's best to avoid it if possible
- Both the embedding site and yours work via HTTPS
- Man-in-the-Middle attack is not performed at the network/operating system level, the server cannot become an attacker
- the user does not have fraudulent HTTPS certificates
- no one on the network does not change requests and responses
- Browser plugins can manipulate the request and response headers (but not the body!). However, they cannot manipulate some headers such as CSP (however, they can change cookies). I don't know exactly why it works this way, but it seems like a good and reasonable approach to me.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vsevolod Rodionov, 2019-01-16
@Jabher

What I know about:
- through constructors you can get the trusted Function, Boolean, Number and so on
- you can access the global window object through - you can't change the value of window's document, origin, location, domain - it's either impossible or will cause page reload - check WebWorker and document.createElement('iframe') possibly by accessing Blob and URL.createObjectURL. - execution contexts Web Worker, Shared Worker - safe, they cannot be injected. This means that all WorkerNavigator content is trusted.(function () {return this}).call(null)
- You can test Web Worker with CSP. sha* algorithm is crypto-resistant, which means that it is not possible to find a code that solves the desired problem and at the same time has the correct sha in a reasonable time. If the code loads and responds in the expected way, this means that the worker itself has loaded (while we still cannot consider the global Worker itself to be trusted)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question