W3C home > Mailing lists > Public > public-html@w3.org > January 2010

XSS risk from iframe@doc?

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 17 Jan 2010 11:41:21 -0800
Message-ID: <7789133a1001171141m7505c2b7lf5e419a087c2f6b5@mail.gmail.com>
To: HTML WG <public-html@w3.org>
Whenever we add a new syntax for executing script, there is some risk
that web sites with weak XSS filters will mistakenly let attackers
inject scripting using the new syntax.  For example, a web site might
let an attacker inject the following string:

<iframe doc="<script>alert(1)</script>">

The risk from this injection vector is mitigated because a
regexp-based XSS filter will likely block the @doc attribute from
containing HTML that executes script.  However, more advanced XSS
filters that understand how to parse HTML attributes might let that
string through.

There area couple of options for resolving this issue:

1) Always give documents created with @doc a unique origin.  This
approach is consistent with the use case of using this attribute for
untrusted content.

2) Change @doc from being an HTML attribute to being a DOM method.
This approach also makes it impossible for authors to screw up the
escaping.

Adam
Received on Sunday, 17 January 2010 19:42:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT