-
-
Notifications
You must be signed in to change notification settings - Fork 829
Replace readBlobAsDataUri with URL.createObjectURL #1820
Conversation
We should review & consider this alongside element-hq/element-web#6173 |
@ara4n, for those of us not "in the know", why does element-hq/element-web#6173 need considering here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're creating object URLs, we'll need to revoke them at some point, otherwise they'll just accumulate and leak memory.
This ought to fix element-hq/element-web#2770 |
Another couple of points on this:
|
So, i was just looking at this in the context of element-hq/element-web#2866, and the thing that worries massively me is that the reason readBlobAsDataUri was added in the first place was: 8f778f5#diff-d3d5b76e1f38f26633799c4c6b61105a whose commit message of "Use data:// URI rather than blob: URI to avoid XSS" sounds worthwhile not ignoring. I assume this is because the blob URI could be sculpted to contain a javascript: URI or something? Anyone know the specific XSS? Edit: I'm an idiot and had somehow totally missed @dbkr's second point in the previous comment, which spells out the vuln this introduces. https://www.attacker-domain.com/2014/07/javascript-blobs.html also provides a nice quick overview of the problem. |
Having looked into this a bit more, I can reproduce this attack but only if the mime-type passed in when instantiating the Blob is a type which can access JS when rendered in a browser (e.g. text/html or image/svg or application/pdf or whatever). Might it be good enough just to whitelist the mime-types which we trust to be rendered from blobs (e.g. image/jpeg, image/png, image/gif, video/mp4) and for the rest of them set the mime-type to application/octet-stream so they just get downloaded as a plain old file? |
@walle303 heads up that i'm experimenting with the mime-type whitelisting idea atm (lest we collide) |
This fixes element-hq/element-web#2678 and element-hq/element-web#2866 and provides an overall performance increase when handling embedded media in encrypted rooms.