W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Sun, 17 Jan 2010 20:57:40 +0000
Message-ID: <4B5379C4.8060100@cam.ac.uk>
To: Ian Hickson <ian@hixie.ch>
CC: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>
Ian Hickson wrote:
> On Sun, 17 Jan 2010, Adam Barth wrote:
>> Whenever we add a new syntax for executing script, there is some risk 
>> that web sites with weak XSS filters will mistakenly let attackers 
>> inject scripting using the new syntax.  For example, a web site might 
>> let an attacker inject the following string:
>>
>> <iframe doc="<script>alert(1)</script>">
>>
>> [...]
> 
> doc="" is only meant to be used with sandbox="". I can just make it not do 
> anything at all if sandbox="" isn't specified, if that helps.

An XSS filter that lets the user give a doc attribute will let the user 
give a sandbox attribute too, i.e. they can write

   <iframe doc="<script>alert(1)</script>" sandbox="allow-scripts">

So as far as I can see, making it do nothing when there's no sandbox 
attribute doesn't help.

-- 
Philip Taylor
pjt47@cam.ac.uk
Received on Sunday, 17 January 2010 20:58:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT