W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2010

[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope

From: <bugzilla@jessica.w3.org>
Date: Wed, 28 Apr 2010 16:51:25 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1O7ATt-0006hp-1Z@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602





--- Comment #4 from Skyphire <sasha@scarletred.nl>  2010-04-28 16:52:04 ---
Lachlan, maybe it's a good idea to read the description once more. My PoC
doesn't use JavaScript at all. Yours does. World of difference here, because
many people block JavaScript as a security measure.

Due to iframe overlapping (try only iframe overlapping in Firefox to see what
happens) the iframe beneath the original trusted one gets focused, you will
notice if you reconstruct it carefully, that there will be no apparent
difference, because the focus appears to be set in first iframe, but it
actually gets set to the 2nd iframe beneath, tricking a unsuspecting user to
enter a password or other sensitive data for example.

Forgot to add that a SPACE can trigger the SUBMIT button if it received focus.

-Skyphire

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 28 April 2010 16:52:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 April 2010 16:52:06 GMT