You can also enable tainting interactively in your browser. Navigate to javascript: URL and enter navigator.taintEnabled().

Specific Tainting

Navigator marks a specific set of objects, their properties, and their methods as tainted. The user should not care about the taint value Navigator assigned to them. These items are identified as a source for a potential security risk if abused. Table 34-1 shows items which are automatically tainted when in a document.

window.status   document.length
window.defaultStatusdocument.element
document.forms[]
location.href   document.links[]
location.protocol   document.title
location.host   document.location
location.hostname   document.referrer
location.port   document.lastModified
location.pathname   document.cookie
location.hash   document.domain
location.search
location.toString()form.action

history.previous   inputObject.name
history.current inputObject.value
history.next   inputObject.defaultValue
history.toString() iputObject.status
inputObject.defaultStatus
option.textinputObject.toString()
option.value
option.defaultSelected
option.selected

Table 34-1. Default tainted elements in a document.

Taint-enabled browsers can view tainted items, but they cannot send the information to any location on the Internet that is not on the same domain and server. If, on the other hand, you want some snoopy scripts to propagate your homepage information (form entries for example) to wherever they want, you can use the untaint() method to make an untainted reference of the object:

var prevHistoryFree = untaint(history.previous)

By making an untainted reference to your previous link, you have given the world explicit permission to take the data and propagate it wherever it wants. Of course, the author of such a snoopy script would have to study your HTML source to figure out how you have named the untainted data.

There are times when you want to secure more than what is tainted by default. You may have some custom functions or global variables that you do not want to share or allow some snoopy scripts to invoke. Sometimes, sensitive information about the document is hidden in one of your document’s functions. Navigator 3.0 helps you protect this function or other entities by tainting them via the taint() method. For example, if you define a function named mySecretAlgorithm(), you can taint it as follows:

function mySecretAlgorithm () {
   statements
   }
   taint(mySecretAlgorithm)

Foreign scripts may use mySecretAlgorithm but the result will be tainted, i.e., the function or any result computed by the function must stay in the foreign script scope and cannot be communicated to other domains or servers.

Window Taint Accumulator

The browser keeps track of tainted data exchanges between windows by updating each window’s taint accumulator. The taint accumulator is the mechanism to watch your window’s tainting status, as your scripts interact with items in other windows. When a document is loaded into a window, its taint accumulator is initialized to identity, which is the null value. Every time there is a tainted data exchange with another server, the accumulator mixes different taint codes to create new codes that identify the sources of data origins (server1, server2, server3, ...). Notice that all of the server’s data elements share the same tainted code of the server.

The taint codes in the accumulator are checked whenever there is an attempt to pass data over the network. Three taint codes are checked: script’s accumulated taint, taint code of targeted server, and taint code of data. For the transfer operation to succeed, either two taint codes are equal, or at least one is identity (null). If an incompatibility is identified, a dialog box pops up, asking for a confirmation or cancellation of the URL load or form post.

The taint accumulator changes dynamically upon interaction with another server, but it can also be manipulated by the page author. In general, taint accumulates until the document is unloaded and is reset to identity only if it contains the current document’s original code. Also, all windows loading documents from the same server share the same taint accumulator. To manipulate the taint accumulator, call taint() or untaint() with no arguments. When calling taint(), JavaScript adds the current document’s taint code to the accumulator. Calling untaint() removes taint from the accumulator only if it holds taint from the current window. If the current window has been tainted by other servers, untaint() will have no effect. Removing taint from the accumulator will reset the taint code to identity.

Summary

This chapter describes the security issues of the Internet and Netscape’s tainting mechanism which answers some of them. Tainting can be applied to specific elements, to the whole document, or to a window. The concept of a taint accumulator is described. Users of Navigator 3.0 and up find themselves answering many more dialog boxes than with Navigator 2.0. There is no way to circumvent this situation but to untaint specific elements. Security on the Web is critical for its growth and commercial usage. Netscape does not have the last word on it, so you can expect some changes in this direction. Changes may vary in range from revolutionary (adopting the digital signature algorithm) to evolutionary (improving on the current methods of tainting and taint accumulator).