Unofficial WebKit CORS vulnerability patches

This document presents a set of unofficial WebKit patches to configure a web browser in a way that avoids the CORS vulnerability. CORS is an acronym which stands for Cross-Origin Resource Sharing. It was originally introduced by W3C as a "functionality enhancement", however its benefits do not outweigh its costs in term of security and privacy compromise.

When CORS is enabled, a web browser is allowed to load resources from origins (hosts) that are different from the origin of the user's request (the host that appears in the browser's address bar). Therefore, when CORS is enabled, untrusted resources can be loaded by the browser (because trust is not transitive) !

The following patches represent a possible countermeasure for the CORS vulnerability:
- patch for the stable WebKit releases (2.18.x);
- patch for the unstable WebKit releases (2.19.x) and git development tree (Nov 2017);
- patch for the WebKit (Chromium) shipped with Android 4.4 (KitKat).

Please note that, when loading some web documents with CORS disabled, there might be a loss of functionality (for example, some or all images might not load). This is absolutely normal and it is proves that the countermeasure is effective as the browser is not loading content from untrusted providers.

The WebKit patches listed above are only effective when combined with a patched browser which can configure the new settings. Here are patches for the default Android web browser and for other three selected browsers, epiphany (Linux/Gnome), Zirco (Android) and Orweb (Android):
- patch for the stable epiphany releases (3.26.x);
- patch for the unstable epiphany releases (3.27.x) and git development tree;
- patch for the default Android web browser;
- patch for the Zirco browser (version 0.4.4);
- patch for the Orweb browser (version 0.7).

All the patches listed above can be applied with the command "patch -p1". They are free software, provided "as is", in the hope that they will be useful, but WITHOUT ANY WARRANTY.

Most people probably want to keep their browser configured as follows:
- select option "Disable CORS";
- select option "Enable CORS within the same domain";
- do not select option "Disable CORS Redirection".

One last tip: before rebuilding the patched browser on Android, you should first install the modified Android SDK that can be built with "make update-api ; make PRODUCT-sdk-sdk". And if you get an error while building the SDK which complains about missing tools, then reinitialize and synchronize the repository with the following commands:
"repo init <original_repository_arguments> -gall,tools ; repo sync"
Once the modified SDK has been compiled, it will be available in out/host/linux-x86/sdk. Update the SDK Manager preferences in Android Studio with the new SDK location and finally start rebuilding the modified Zirco browser. Be careful not to let Android Studio overwrite the new SDK with updates from the network !

If you are using Mozilla Firefox instead of a WebKit-based browser, then you might be able to find similar functionality in the requestpolicy extension.

Copyright © 2017-2018 Guido Trentalancia. All rights reserved.