kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
<griff_>
I did some googling and there is a few vectors. 1. Phishing by changing the opener to a site that looks like the original. 2. If you know the opener location (not possible in sandstorm) you can trigger a hashchange.
<isd>
But it doesn't look like the opener can be changed? How would you do that?
<isd>
I guess what I'm trying to pin down is: somehow were are mitigating this and I don't understand the details.
<griff_>
You can send postMessage to opener so if there are any bugs or way to exploit that (GMail had a bug like that) you got an attack. I think generally if window.open is used opener should be set to null unless it is actually needed since that prevents problems like this. I don’t know if you can set parent of an iframe to null but that might relevant for apps that have iframes with user content or previews since they might be able t
<griff_>
nap the app iframe and have it do phising.
<griff_>
You can write to opener.location
<griff_>
You can’t read opener.location though
<isd>
Aha, so you can; thought I'd tried that but I may have tried to assign to opener directly or something.
<griff_>
If you know what opener.location is. Say you know it is http://google.com you can set opener.location to http://google.com#i-am-evil and that will trigger a hashevent in opener
<isd>
If I pop open the javascript console and do window.open(...) from the grain's iframe, and then try to do window.opener.location = ... in the new tab, it throws an exception.
<isd>
This does not happen if I call window.open() from the sandstorm UI (outside of the iframe)
<griff_>
Hmm
<isd>
so maybe there's some additional restrictions on iframes.
<isd>
I've only tried this in firefox.
<griff_>
That is the other thing. The mitigations are browser specific. So that attack may be prevented by firefox but work in Safari
<isd>
Same thing happens in chromium
<griff_>
And Safari
<griff_>
Så that attack is prevented. Nice to know
<isd>
Would make sense to check i.e./edge too (ocdtrekkie?), and I'm curious as to how old this mitigation is; would someone have been vulnerable using a browser from 2017?
<isd>
I'd like to know what the exact rules are here, and if they're standardized or just widely implemented the same way.
<kentonv>
hmm those rules seem way too loose though
<isd>
Yeah, I'm staring at those and don't understand why it blocks this (though I'm glad it does). It seems like it should if we were setting sandbox flags on the iframe but I don't think we are.
<isd>
So I don't know whether my reading is wrong or browsers are just more strict than what the spec says, or there's some other verbiage somewhare that's relevant.
<isd>
In other news: I'm very excited about the fix to davros's upload button
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
_whitelogger has joined #sandstorm
<JacobWeisz[m]>
Ian, I stopped using Edge a while ago, but Microsoft has replaced Edge with a Chrome fork, so Chrome testing and Edge testing are basically one in the same now.
<JacobWeisz[m]>
Firefox and Safari run the last remaining independent browser engines separate from the evil empire.
<xet7>
Edge is in a very wide use at corporations. Some were very happy when I fixed Wekan to work at Edge. Also Wekan Microsoft Store app at Win10 desktop uses Edge for Wekan window, based on Wekan PWA. I don't know when Chromium Edge based PWA will become possible.
<xet7>
If possible, sometime add support for even more browsers. I would like to support browsers that do not have Javascript enabled or implemented at all.
<JacobWeisz[m]>
Yeah, if you embed inside a UWP app or whatever, legacy Edge is still there for now. But probably not much longer, Microsoft is probably going to switch everything to a Chromium-Edge-based-Electron thing.
<JacobWeisz[m]>
As an enterprise IT admin, many vendors tell us we must use Chrome to get support. We use Firefox internally but we ended up pushing the new Edge quicker so that we have it for said troubleshooting.
<JacobWeisz[m]>
Thankfully companies seem to accept the new Edge as a viable basically-Chrome, so we were able to finish removing all Google Chrome installs from our network.
frigginglorious has joined #sandstorm
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious has joined #sandstorm
<isd>
I keep forgetting edges is just chromium now.
<xet7>
new edge is chromium + many changes, like google-specific stuff removed and ms-specific stuff added, optimizations, etc
<griff_>
Has anybody tried running sandstorm in a docker container?
<blowfist>
griff_: I'm running sandstorm in my own custom container (which is made using shell scripts)
<blowfist>
griff_: sandstorm requires the user namespace to work
<xet7>
blowfist: Are your scripts open source and at some public repo?
<xet7>
I don't know are user namespaces available inside docker or snap
<isd>
griff_: there's a thing in the docs somewhere about how to do it. It needs to be a privileged container though, so you don't really get any scurity benefits on top of what Sandstorm already provdies (though if docker is your prefered workflow for deploying stuff it may make sense anyway)
<blowfist>
I think in more recent linux versions, user namespaces can be cascaded
<blowfist>
but as isd mentionned, you most likely require privileges to run sandstorm, all namespaces can only be created by root unless you use the user namespace
<griff_>
isd: Yeah I forgot to google first. I just wanted to use it for app dev work so priviliged is not really a problem
<griff_>
I was looking at docker-spk and thinking about if it was possible to just use that, Docker for Mac and sandstorm in a container to develop apps. But the thing is I really want access to spk dev which docker-spk doesn’t have.
<isd>
Derp, totally scanned passed your last comment.
<isd>
Yeah, getting spk dev to work would be useful. It wouldn't be that hard, but it's a bit of work since right now docker-spk doesn't use raw spk at all; it has its own implementation of package signing etc.
<isd>
...but, I also kinda want to get away from the 'slurp stuff off the filesystem' thing that spk dev does.
<griff_>
isd: doesn’t spk dev just update sandstorm-files?
<JacobWeisz[m]>
It generates sandstorm-files by detecting use by the running dev grain.
<isd>
yeah, so you do have a trace of what's included, but it's still kinda awkward.
<JacobWeisz[m]>
spk pack uses the sandstorm-files list, I imagine.
<isd>
Anyway. One of these days nix-spk will be a thing.
<JacobWeisz[m]>
Could we develop an off switch for spk's auto-detection, such that if you want to manually specify everything, you can while still using spk? This would also be a useful mode for vagrant-spk enter-grain, where you simply don't want to modify the file list.
<griff_>
isd: Well I can help with that. I use Nix and NixOS almost exclusively
<isd>
I'm thinking of building on top of the new flakes system; it's still experimental but as it stabalizes I think it will make for a much better experience. And I really want to have a standard way of having people include random helper daemons and stuff in their packages, flakes seem like a good way to manage that.
<isd>
But the first pass I think is "just" a thin wrapper that calls nix build etc. and uses nix-store -qR to figure out what to pack.
<isd>
Will have to have a look at that. If there's a blessed solution in the pipline though my inclination is to build on that, rather than have to migrate down the line.
<griff_>
isd: Niv is mostly for locking nixpkgs and other github dependencies and it only touches 2 files: nix/source.json and nix/sources.nix so don’t wait for perfection while there is a usable alternative that works right now. The blessed solution has been in the pipeline for close to 2 years. And while it will be great when it arrives niv is the minimal simply solution that most are using.
<griff_>
isd: My most advanced project setup with Nix looks mostly like https://github.com/griff/whitelist it builds a jekyll site each week and runs update scripts for rubygems and nixpkgs each week that make PR’s.
<JacobWeisz[m]>
I still think docker-spk needs a place in docs so people know it exists and how to use it.
<JacobWeisz[m]>
Though, do we have any apps in the market actually built with it yet?
<isd>
Not sure; I know Ross played with it but I don't think he actually pushed anything
<isd>
Jan Jambor was trying to make it work for wordpress, but he kinda disappeared before it happened.
<JacobWeisz[m]>
I rely heavily on existing apps as examples when packaging, so I think at least one published app using a given dev tool is probably somewhere we should get.
<isd>
Yeah. There's an examples/ directory in the repo that has a basic python app in it, but "real" apps would be nice.
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Read error: Connection reset by peer]