The other risk here, aside from MITM between PageSpeed and origin, is
the risk of automatically moving images onto your domain. Imagine a
site allows users to insert image references, and an attacker puts in
a reference to a file that looks enough like an image to satisfy
PageSpeed but browsers will interpret as HTML. Normally this would
look like:
good.example.com/index.html:
<img src="
http://evil.example.com/evil.gif">
But PageSpeed would turn that into something like:
good.example.com/index.html:
<img src="
https://good.example.com/_pagespeed_external_images/evil.example.com/evil.gif">
And then the attacker could get someone to visit it by giving them the
link to that "image", which would be interpreted as HTML and run JS,
giving them an XSS exploit.
This doesn't apply to all browsers: on most modern browsers it's
enough to send "Content-Type: image/gif" and know it won't get
interpreted as HTML. But in some browsers, including IE7 and below,
an image content type enables Content-Type sniffing. This would make
sense if it only enabled sniffing between image types, because people
get that wrong a lot, but it also enables sniffing to html. IE7 is
old, but it's not old enough that we can ship something where it would
be vulnerable to XSS attacks like that.
Additionally, this would either turn PageSpeed into an open proxy for
images or sometimes break images. Background: right now it works for
people to run PageSpeed on multiple servers without a shared cache.
If your servers are near each other it's usually more efficient for
them to share a cache to resources don't have to be reoptimized, but
if you have PageSpeed running in multiple locations/datacenters that's
impractical and would add a lot of latency. So imagine a request
comes in for index.html:
https://good.example.com/index.html:
<img src="
http://other.example.com/image.png">
If PageSpeed were set to auto proxy http images it would rewrite that
to something like:
https://good.example.com/index.html:
<img src="
https://good.example.com/_pagespeed_external_images/other.example.com/image.png">
Now say the browser's request for that image hits a PageSpeed server
in a different location without a shared cache. How does it know this
request is legitimate? Because it can't check legitimacy it has to
just proxy any image it sees. This wouldn't be popular!
One way to fix this would be to require that people either have a
shared cache or turn on resource signing with a shared secret between
all their PageSpeed servers:
https://developers.google.com/speed/pagespeed/module/restricting_urls#url_signatures
But turning this on by default and adding a requirement like this
would break sites that have been doing fine with a shared cache, so
there would have to be a very compelling case.
As Josh says, however, this is something that sites can opt into
already with MapProxyDomain. Here you avoid the security issue by
only turning on MapProxyDomain for domains you trust not to XSS you,
and you avoid the open proxy issue by whitelisting domains.
On Sun, Mar 29, 2015 at 7:07 PM, Centmin Mod George