commit bc3d8451af30f13ee136a3ce5e485b0591c3d425
author Ankur <ataly@google.com> Fri May 01 13:31:46 2015 -0700
committer Ankur <ataly@google.com> Fri May 01 13:31:48 2015 -0700
tree 1c543045950ad54a5ba3ca4ea1289b2496dc2b98
parent 22fcb035d581ba69bb18deb05f41c2ebc275ac16

"cmd/principal": No third-party code on Macaroon receiving page

A bugcrowd researcher recently reported an attack wherein an
attacker can steal macaroons by carrying out a MITM attack on
the CSS fetching done by our macaroon-receiver page.

See: https://github.com/veyron/release-issues/issues/2033

The macaroon-receiver page runs on http://localhost and the CSS
is fetched over HTTP as well. As a result using a MITM attack on
the CSS fetching, an attacker can get hold of the URL of the page
via the referrer header and therefore the macaroon embedded in the
URL. The macaroon can then be used by the attacker to obtain a
blessing for himself under the identity encapsulated in the
macaroon, thus carrying out an impersonation attack.

While there are a number of ways to fix this attack -- fetching
the CSS over HTTPS, or, redirecting the macaroon-receiver page to one
that does not have the macaroon embedded in the URL, or getting
rid of the CSS entirely.

This CL goes with the third fix mentioned above. The macaroon-receiver
page is one of the most security-critical pages in our seek-blessings
flow. Therefore, it is risky to have *any* third-party code on this
page. By not having any third-party code, and not making any external
requests, we eliminate the risk of leaking any data out from the
macaroon-receiver page.

This CL gets rid of the link to the stylesheet, and instead inlines some
style attributes on the various HTML tags.

Change-Id: I4dc1429b194de79b761020ccf38242eafb95bd18

cmd/principal/bless.go

diff --git a/cmd/principal/bless.go b/cmd/principal/bless.go
index ef4e761..3ed3ed9 100644
--- a/cmd/principal/bless.go
+++ b/cmd/principal/bless.go
@@ -158,22 +158,21 @@
 <html>
 <head>
 <meta charset="UTF-8">
+<!--Excluding any third-party hosted resources like scripts and stylesheets because otherwise we run the risk of leaking the macaroon out of this page (e.g., via the referrer header) -->
 <title>Vanadium Identity: Google</title>
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">
 {{if .Blessings}}
 <!--Attempt to close the window. Though this script does not work on many browser configurations-->
 <script type="text/javascript">window.close();</script>
 {{end}}
 </head>
 <body>
-<div class="container">
+<div>
 {{if .ErrShort}}
-<h1><span class="label label-danger">error</span>{{.ErrShort}}</h1>
-<div class="well">{{.ErrLong}}</div>
+<center><h1><span style="color:#FF6E40;">Error: </span>{{.ErrShort}}</h1></center>
+<center><h2>{{.ErrLong}}</h2></center>
 {{else}}
-<h3>Received blessings: <tt>{{.Blessings}}</tt></h3>
-<h4>You may close this tab now.</h4>
+<center><h1>Received blessings: <tt>{{.Blessings}}</tt></h1></center>
+<center><h2>You may close this tab now.</h2></center>
 {{end}}
 </div>
 </body>