W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 17 Jan 2010 20:34:29 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.64.1001172033580.3759@ps20323.dreamhostps.com>
On Sun, 17 Jan 2010, Adam Barth wrote:
>
> Whenever we add a new syntax for executing script, there is some risk 
> that web sites with weak XSS filters will mistakenly let attackers 
> inject scripting using the new syntax.  For example, a web site might 
> let an attacker inject the following string:
> 
> <iframe doc="<script>alert(1)</script>">
> 
> The risk from this injection vector is mitigated because a regexp-based 
> XSS filter will likely block the @doc attribute from containing HTML 
> that executes script.  However, more advanced XSS filters that 
> understand how to parse HTML attributes might let that string through.
> 
> There area couple of options for resolving this issue:
> 
> 1) Always give documents created with @doc a unique origin.  This 
> approach is consistent with the use case of using this attribute for 
> untrusted content.
> 
> 2) Change @doc from being an HTML attribute to being a DOM method. This 
> approach also makes it impossible for authors to screw up the escaping.

doc="" is only meant to be used with sandbox="". I can just make it not do 
anything at all if sandbox="" isn't specified, if that helps.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 17 January 2010 20:34:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT