tags:

views:

36

answers:

3
+1  Q: 

Does 'separate domain sandboxing' (protecting from JS cookie hijacking) still work with a subdomain?

I think the title says it all, prettymuch.

A little further detail:

  • I'm running a site where users can submit Javascript freely
  • Other people will preview this Javascript 'live'
  • There will be basic measures in place to stop naughties like eval(), but inevitably some may unfortunately slip through
  • The site is mysite.com, I gather running the scripts from myotherdomain.com will prevent cookie hijacking, however will running them from js.mysite.com prevent it too? (read: cheapskate, save money on an extra domain)
  • Finally, will running it in an <iframe> from mysite.com to either a separate domain or a subdomain still work as effectively as loading an entirely new site?

Thanks!

Jack

A: 

Yes a subdomain is the same, except for cookies that are domain cookies.

Mike  2010-08-10 18:18:30
Cookies can be read by subdomains, i.e. example.com can be read by foo.example.com. I'm not sure if this is the case if you do not set a domain (I imagine the browser stores the domain for you). To change this, I think you need to use foo.example.com and bar.example.com.
tc.  2010-08-10 18:37:40
A: 

The Same Origin Policy(SOP) apply for subdomains, ports, protocols and domain.
If there is a difference in one of these properties the SOP will prevent the access.

As long as you do not use document.domain on your main page, the subdomain will get the SOP protection. If you use document.domain in the main page a script could do the same in the iframe and by-pass the SOP.

Now if you want to enable some safe communication between iframes, you can use window.postMessage if you target modern browsers and mobiles.

And for older browsers there are some tricks to do, like the window.name trick

This does not prevent Cross Site Scripting(making a POST to your domain with your current valid cookies from the iframe). You need to use a secret token that only the javascript in your main page knows and that will be sent for each request.

Mic  2010-08-10 18:26:53
A: 

The best way is to run it in an appropriate sandbox, not to strip some code. I think you can do stuff like delete eval; or eval = null;. You might have additional luck with delete document or document=null or delete document.cookie. Test on a variety of browsers, of course.

EDIT: Also consider using "httponly" cookies, which (on many browsers) prevents them from being accessed in JavaScript. It's originally an IE extension, but has been incorporated to most major browsers IIRC.

tc.  2010-08-10 18:41:22

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security