Re: iframe@security from Anne van Kesteren on 2008-01-21 (public-html@w3.org from January 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 21 Jan 2008 14:14:17 +0100
To: joshue.oconnor@cfit.ie
Cc: "HTML WG" <public-html@w3.org>
Message-ID: <op.t496130m64w2qv@annevk-t60.oslo.opera.com>

On Mon, 21 Jan 2008 13:19:58 +0100, Joshue O Connor  
<joshue.oconnor@cfit.ie> wrote:
> Anne van Kesteren wrote:
>> What if the message comment contains "</div>" followed by some  
>> dangerous stuff?
>
> Indeed. However, this could be an issue for any HTML element that is
> capable of being a host for "dangerous stuff" and scripted injections
> etc allow malicious authors to use the humble <a> element as a hook for
> all sorts of horrors.

Indeed, which is why, without adding hashes and changing the way the HTML  
parser works (which would make this insanely complicated and not backwards  
compatible at all), I don't see how this could work.

>> What about clients that do not support the security attribute?
>
> I guess its like anything, if it works and is relatively easy to
> implement for vendors they /may/ support it. If /it/ is a good idea in
> the first place but you would know more about how that works than I do.

The problem is that the moment authors start relying on such features that  
are only implemented by user agent X users of user agent Y have a problem  
as the default behavior would be insecure. (This is indeed an issue with  
the Internet Explorer extension as far as I can tell.)

>> There has been extensive discussion on this already on the WHATWG  
>> mailing list [...]
>> there weren't really any proper solutions for the problem, apart from  
>> content authors ensuring they can't be spoofed on their end.
>
> If you (or any other interested parties) wouldn't mind, please keep this
> list posted if there any other useful discussions relating to security
> on the WHATWG list. Accessibility and security are awkward bedfellows
> and I am really interested in how to make web applications more
> accessible and also more secure without compromising either domain. Oh,
> and that should include usability also.

http://www.google.com/search?q=inurl:whatwg-whatwg+sandbox has some of the  
e-mails.  
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2007-May/011198.html  
is a reply to most of the proposals made by Ian Hickson. (Most of the  
discussion happened before the HTML WG really started.)

I'm not sure what sandboxing has to do with accessibility.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 21 January 2008 13:10:58 UTC