[dev] [surf] [patch] 13 patches from my Universal Same-Origin Policy branch

Tue, 24 Mar 2015 21:44:16 -0700 

Hi list,

I merged my big patch with the latest master, and finally got around
to splitting up my big patch into 13 smaller patches in commit order
(used git format patch). Each commit compiles and functions, and is
separately integrated, so the progression is easier to see.

A summary of what features these patches add:

1. Universal Same-Origin policy. This keys all browser state (both
memory and disk) by origin domain, so that cookie and cache tracking
from site to site is blocked by isolation. Yet cookies and cache still
fully function as long as the same-origin policy is acknowledged by
the website design. Also, a link or redirect, or any navigation that
crosses sites/origins gets a dmenu warning prompt. POSTs don't
currently work. Basically, newwindow() needs to support non-GET
methods. I am still designing the best way to do that with libsoup,
basically serializing the request on disk and unserializing it in the
new origin's process.

2. User-Agent and Accept-Language headers have random entropy added to
each request. This means that browser profiling that uses those
headers without semantic parsing will get a random identifier each
request, preventing linkability. This is designed to cause difficulty
for naive browser profiling techniques that just hash a bunch of
headers.

3. dmenu-based Download Wizard. This allows you to see what file will
be downloaded, and select which folder to download it to, and what
filename to save it as, with reasonable defaults. May be a bit
overkill for you guys, but I like it.

4. Some default features of webkit that may cause a privacy issue are
disabled. I have been browsing just fine without them.

5. Refactoring necessary to get the one-origin-per-process constraint
working, like moving the qualifying of the URI earlier, so that the
origin can be immediately known. Also, keeping some additional loading
state, and adding some navigation hooks into webkit that weren't
previously needed.

I usually call surf as `surf -g -p -O -D`. I disable geolocation (-g)
and plugins (-p), and enable the same-origin policy (-O) and disk
cache (-D). Not just the cookies, but the disk cache, and even html5
local storage databases are per-origin on disk when you pass -O.

I usually use tabbed to manage the per-origin windows well. I put the
origin at the beginning of the window title so that it is clear which
tab is which origin. It works out quite well for me.

What has been working well for me is to run this mode by default, and
I use something else (disable the mode, or run Firefox), if I need the
compability. I have some issues logging into things like bank
websites, I think because of the POST issue remaining, so I just use
something else for that, and keep my "surfing" to surf. I have been
able to pay some bills online using this mode.

The way the login issue usually presents itself is for the auth
redirects to get into an infinite loop (4 times is normal, but 10
times means something is probably wrong). I am considering adding a
feature to the prompt which lets you break the loop by linking the
crossing origins together the way i do for www.gmail.com and
accounts.google.com (symbolic link the origin folders).

There are several things in here that could probably use command-line
arguments, but I am not really sure which features warrant
command-line arguments, and/or what they should be, but with the
patches separated, that can be discussed better.

Any comment and/or opinion is welcome. I tried to follow the suckless
philosophy/style, but as I am not "native" to this community, I am not
really sure where it stands in that respect, except that there are
certainly parts that feel a bit sucky, so a pointer in the right
direction would be appreciated. The main guideline I have seen
regarding surf is that it is to be "a suckless interface to a sucky
web".

I tried to keep the refactoring as suckless as possible, since that is
what depends on knowledge of how surf works, which requires some
knowledge of webkit and its dependencies. It took me a couple weeks to
get up to speed, so there is certainly a barrier there. The functions
that actually implement the origin comparisons and the random entropy
are a bit sucky, but they are isolated, and can be improved by anyone.
I just wanted to get something out the door there.

Thank you for your valuable time,

Ben Woolley

Attachment: 0001-Add-prompt-argument-to-SETPROP-for-dmenu-wizards.patch
Description: Binary data

Attachment: 0002-Wizard-style-download-prompt.patch
Description: Binary data

Attachment: 0003-Add-configuration-for-HTML5-local-storage-database-p.patch
Description: Binary data

Attachment: 0004-Disable-useless-webkit-features-that-could-harm-priv.patch
Description: Binary data

Attachment: 0005-Do-not-trigger-a-download-for-subframes-that-webkit-.patch
Description: Binary data

Attachment: 0006-Hook-for-controlling-navigation-policy.patch
Description: Binary data

Attachment: 0007-add-random-entropy-to-user-agent-and-accept-language.patch
Description: Binary data

Attachment: 0008-Add-explicitnavigation-boolean-to-newwindow-and-load.patch
Description: Binary data

Attachment: 0009-Need-this-to-apparently-prevent-a-race-condition-whe.patch
Description: Binary data

Attachment: 0010-about-blank-seems-to-not-be-needed-for-webkit-and-ma.patch
Description: Binary data

Attachment: 0011-Keep-global-state-for-whether-a-load-was-called-and-.patch
Description: Binary data

Attachment: 0012-Qualify-URI-earlier-so-that-URI-comparisons-are-poss.patch
Description: Binary data

Attachment: 0013-Process-level-Universal-Same-Origin-Policy.-Origins-.patch
Description: Binary data

Reply via email to