GIF89a Ajax Binary HacksGIF89a Ajax Binary Hacks

id:TAKESAKO

Cybozu Labs, Inc.

<takesako@shibuya.pl>

- How to break same-origin-policy -

How to break same-origin-policy.(Parallelize cross-domain access)

Ajax GIF89a

GIF89a Binary Image Objectfor AJAX communications Protocol

How to cross-domain access by AjaxHow to cross-domain access by Ajax

1. XMLHttpRequest(XHR) + Local proxy XHR doesn’t support cross-domain access. Local Proxy (breaks crossd-omain access)

Performance problem (proxy overhead)Security problem (open proxy)

2. Flash + crossdomain.xml e.g. SocketJS implementation

3. JSONP <script src=“*.js?callback=func”></script>

4. GIF89a Binary Image Object Parallelize cross-domain access

(1)(1)

XMLHttpRequest(XHR) + Local proxyXMLHttpRequest(XHR) + Local proxy

XHRdoesn’t support cross-domain access.

Local Proxybreaks cross-domain access.

ProblemPerformance problem

(proxy overhead…)

Security problem(open proxy…)

(2)(2)

Flash Player’s cross-domain-policyFlash Player’s cross-domain-policy

http://server/crossdomain.xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM

"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-domain-policy>

(3)(3)

about JSONPabout JSONP

<script src=“http://example.com/data.json?jsonp=callback” />

callback( { foo: 'This is foo.', bar: 'This is bar.', moe: 'This is moe.'} );

function callback(data) { // … do action}

Response data

(1) Define JS callback function

(2) Create a script’s element by JavaScript/DOM

(3) Response from Server

(4)(4)

GIF89a cross-domain access protocolGIF89a cross-domain access protocol

<img src=“null.gif?q=param" onload=“callback(this.width)">

function callback(data) { //… do action}

(1) Define JS callback function (likes JSONP)

(2) New Image Object

CGI is OKhttp://example.com/webapi/null.gif?q=foobar

GIF Image size!

return 2 x 16 = 32bit (over cross-domain)return 2 x 16 = 32bit (over cross-domain)

Server Side program (Perl example)

#!/usr/bin/perluse strict;use warnings;

sub create_gif { my $size = pack "S2", @_; return "GIF89a$size\xf0\x00\x00\x00\x00\x00\xff\xff\xff," . "\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02L\x01\x00;";}

print "Content-Length: 35\n";print "Content-Type: image/gif\n\n";binmode(*STDOUT);print create_gif(65535, 65535);

1;

Classical C example for old typeClassical C example for old type

#include <stdio.h>

#define print_gif_head() do { \ printf( \ "Content-Length: 35\n" \ "Content-Type: image/gif\n" \ "\n"); \ } while (0)

#define print_gif_body(x,y) do { \ putchar('G'); \ putchar('I'); \ putchar('F'); \ putchar('8'); \ putchar('9'); \ putchar('a'); \ putchar(0xff & (x)); \ putchar(0xff & (x >> 8)); \ putchar(0xff & (y)); \ putchar(0xff & (y >> 8)); \ putchar(0xf0); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0xff); \ putchar(0xff); \ putchar(0xff); \

putchar(','); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x01); \ putchar(0x00); \ putchar(0x01); \ putchar(0x00); \ putchar(0x00); \ putchar(0x02); \ putchar(0x02); \ putchar('L'); \ putchar(0x01); \ putchar(0x00); \ putchar(';'); \} while (0)

int main(){ print_gif_head(); print_gif_body(65535, 65535);}

It works!

GIF89a - Cross browser techniqueGIF89a - Cross browser technique

+-----------------------+| +-------------------+ || | GIF Signature | || +-------------------+ || +-------------------+ || | Screen Descriptor | || +-------------------+ || +-------------------+ || | Global Color Map | || +-------------------+ ||- GIF Terminator -|+-----------------------+

+-----------------------+| +-------------------+ || | GIF Signature | | 5byte (GIF89a)| +-------------------+ || +-------------------+ || | Screen Descriptor | | 7 byte (width x height)| +-------------------+ || +-------------------+ || | Global Color Map | | 6 byte (2 colors)| +-------------------+ || +-------------------+ || | IMAGE DESCRIPTOR | | 15 byte (1 x 1)| +-------------------+ ||- GIF Terminator -| 1 byte (;)+-----------------------+

20 byte 35 byte

IE cannot load only GIF header.

Good old days technology for AJAX 2.0Good old days technology for AJAX 2.0

GIFGIF87a（ 1987-）GIF89a（ 1989-）

XMLW3C（ 1998-）

JSONRFC4627（ 2006-）

20 yearsago…

Binary LOVE