When the user visits a Web page, the browser downloads the HTML code of that page and parses it to create the Document Object Model (DOM). The HTML contains information about other assets that need to be downloaded to render the page to the user. This includes stylesheets (CSS), images, other documents to display in frames, and many more.
One of those sites could be infected or operated by an attacker. Is this a risk? Could malicious code compromise the machine or steal data from other sites the user is browsing?
This is called the Same-origin policy (SOP) and it is one of the most fundamental security policies on the Web.
The code in a sandbox is restricted in what it can do. It cannot directly access devices such as webcams or microphones. The filesystem and the local network are also not directly available.
- Origin. Browsers download the code and Node.js loads the code from local files like other popular programming languages.
- Trust. Browsers treat the code as untrusted and Node.js treats the code with full trust.
- Permissions. Browsers restrict capabilities the code has access to and Node.js grants all the privileges of the operating system account. This includes access to devices, files, and the local network.
A successful attack on Node.js programs may impact the entire server the program runs on. The attacker may get access to all the resources the operating system account has access to, potentially leading to a full compromise of the server.
The next post in this series will demonstrate how the dynamic type system may lead to subtle security bugs.