security: post OAuth token to client webapps if any

[rzr]

When loaded from window.opener CORS is blocked by default,
so this is workaraounding security issues like:

Uncaught DOMException: Blocked a frame with origin (...)
from accessing a cross-origin frame. at (...)

For any security concern this change can be reverted anytime.

Change-Id: I42af71ae822491150c019cff9688356b1a0e2532
Signed-off-by: Philippe Coval p.coval@samsung.com

[hobinjk]

At this level of integration you would be better of setting up a proper OAuth service by editing src/models/oauthclients.ts as described in this setup document.

[rzr]

Yea I tried this once, but on some browsers was not possible from file://... origin (tizen local webapp) so I hacked around to make it work somehow, until a better solution is found.

FYI, I used this bit for PWA app:
https://vimeo.com/277663462#webthing-webapp-pwa-20180629rzr

Maybe I will refactor this proof of concept later, but I wished the code could support several platforms.

[hobinjk]

Yeah, unfortunately this would make it really easy for an attacker to embed a frame of the local token service in their page and trick the user into giving them complete access to their gateway.

I think it's possible to limit the message listener to only respond if the message originates from a file:// URL through ev.origin or something. That would make this PR much more secure.

[rzr]

Yes I was about to suggest this, meanwhile I got proper OAuth on http.
but Instead of testing file:// protocol I prefer to test location.hostname != null, in case other protocol to be used, would that be fine ?

[hobinjk]

I would prefer a whitelist of specific protocols so that the exact behavior is completely specified.

[codecov-io]

Codecov Report

Merging #1149 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1149      +/-   ##
==========================================
+ Coverage   72.32%   72.32%   +<.01%     
==========================================
  Files         126      126              
  Lines        6898     6899       +1     
  Branches     1031     1031              
==========================================
+ Hits         4989     4990       +1     
  Misses       1664     1664              
  Partials      245      245

Impacted Files	Coverage Δ
config/default.js	100% <ø> (ø)	⬆️
src/router.js	98.52% <100%> (+0.02%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3198c40...14d3bd2. Read the comment docs.

[mrstegeman]

@rzr @hobinjk Is this still needed for anything?

[rzr]

I think so it was needed for an "offline" webapp PoC... (loaded from file:// protocol), I made it evolve to support various frameworks (eg: aframe) , so it would be nice to have it in.

[hobinjk]

👍, after #1712 this just needs an additional modification to https://github.com/mozilla-iot/gateway/blob/master/src/router.js#L46 to have 'filesystem:' instead of 'none'

[hobinjk]

Additionally, since this adds the ability for any random file:// page to clickjack the gateway, the modification to the content-security policy should be guarded by a config option (like 7fbaf56)

[mrstegeman]

This should default to false.

[rzr]

yes, I used !false as reminder

[mrstegeman]

This is a handlebars template that gets used in the UI. Instead of using config, you'll need to pass a value into the template.

You're also missing a paren at the end of this line.

[rzr]

yes that code didnt work actually I figured out I used other hack to get token, next version works anyway

[hobinjk]

Thanks for the update! There are just a few minor changes then this LGTM

[hobinjk]

The Content-Security-Policy setting means we'll only be embedded in trusted situations so this doesn't need the config.get here

[rzr]

I still use oauthPostToken to prevent a not wanted post action
see next revison

[hobinjk]

This should be false

[rzr]

fixed

[hobinjk]

The indentation of this is a bit off and the close brace from the initial if statement is missing

[rzr]

fixed

[mrstegeman]

Looks good to me, other than the one comment.

[mrstegeman]

I believe filesystem: needs single quotes around it: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

[rzr]

Seems not , well with quotes I got an alert that they were ignored:

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Content Security Policy: Couldn’t parse invalid host 'filesystem:'

On Tizen:

D/ConsoleMessage( 1681): [WebThings0] file:///js/index.js:438: Mozilla/5.0 (Linux; Tizen 5.0; SAMSUNG TM1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Mobile Safari/537.36

The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: ''filesystem:''. It will be ignored.

... now i am unsure if scheme should be quoted or not, see:

• https://www.w3.org/TR/CSP2/#scheme_source
• https://tools.ietf.org/html/rfc3986#section-3.1

edit: I will file a bug on MDN

[mrstegeman]

I think you're right. Confusing docs on MDN.

[rzr]

Yes I fixed MDN with help of @sheppy (thx)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors$compare?locale=en-US&to=1535837&from=1534635

[mrstegeman]

@hobinjk Any other objections?