[master] Deploy 262f86ed4e6fbdff944aa036e82643312fc0f600

forkphorus/forkphorus@97b1bcf...262f86e Signed-off-by: Muffin <[email protected]>
forkphorus · Sep 25, 2024 · 122b143 · 122b143
1 parent 8c247f5
commit 122b143
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/embed.js b/embed.js
@@ -4,16 +4,19 @@
 (function() {
   'use strict';
 
-  // compatibility: embed.js does not work in some common WYSIWYG editors
-  // security: this script could potentially do things like steal browser cookies. an <iframe> should not be able to do this ("same origin policy")
-  // embed.js won't be removed soon but it may be removed "eventually" and is not actively tested
+  // Compatibility: The embed.js <script> tag does not work in some common WYSIWYG website designers.
+  // Security: The <script> tag full access to the website it is embedded in while an <iframe> is sandboxed. There has also been some known security vulnerabilities that the iframe is immune from.
   console.warn('forkphorus: embed.js is deprecated due to compatibility and security concerns and may stop working in the future. Please use a direct <iframe> of embed.html instead! The generator on https://forkphorus.github.io/ has been updated to do this.');
 
   // Get this script's HTML element.
   // We'll replace the script element with the frame.
-  var script = document.currentScript || (function(scripts) {
-    return scripts[scripts.length - 1];
-  })(document.getElementsByTagName('script'));
+  var script = document.currentScript;
+
+  // Named elements can override document.currentScript. Because we generate the iframe's source from the
+  // script's source, blindly using the source from that named element would be a security bug.
+  if (script.tagName.toUpperCase() !== 'SCRIPT') {
+    throw new Error('forkphorus: document.currentScript is not a script. This indicates a DOM clobbering attack. Refusing to continue for security.');
+  }
 
   // Determine the hasUI option to properly size the frame.
   var hasUI = true;
@@ -38,7 +41,15 @@
   var iframe = document.createElement('iframe');
   iframe.setAttribute('allowfullscreen', true);
   iframe.setAttribute('allowtransparency', true);
-  iframe.src = script.src.replace('embed.js', 'embed.html');
+
+  // Rewrite embed.js to embed.html
+  var iframeSrc = new URL(script.src);
+  if (!iframeSrc.pathname.endsWith('/embed.js')) {
+    throw new Error('forkphorus: embed script is not named embed.js. Unable to safely generate <iframe> src. Refusing to continue for security.');
+  }
+  iframeSrc.pathname = iframeSrc.pathname.replace(/\/embed\.js$/, '/embed.html');
+  iframe.src = iframeSrc.href;
+
   if (hasUI) {
     // include enough for controls and the player border
     iframe.width = baseWidth + 2;

diff --git a/index.html b/index.html
@@ -159,7 +159,7 @@ <h1 data-i18n="index.code">Code</h1>
 
       <footer>
         <a data-i18n="index.privacy" href="privacy">Privacy Policy</a>
-       - Version 97b1bcf (2024-09-16)</footer>
+       - Version 262f86e (2024-09-24)</footer>
     </section>
 
   </div>

diff --git a/tools/clobbering.html b/tools/clobbering.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+  <meta name="robots" content="noindex">
+</head>
+
+<body>
+  <p>If the clobbering attack works, you'll see some big text below. If you just see an invalid image icon then it is safe.</p>
+
+  <!-- name=currentScript overrides document.currentScript -->
+  <!-- src= can be any URL, just needs to contain a ? anywhere to avoid an error in the query parser -->
+  <img name="currentScript" src="data:text/html;,<h1>If you can see this, the clobbering attack worked</h1> <!-- ? -->">
+
+  <script src="../embed.js?id=280227362"></script>
+</body>
+
+</html>