W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 17 Jan 2010 15:22:18 -0800
Cc: HTML WG <public-html@w3.org>
Message-id: <6545CF0C-78CE-4A4C-A278-9B48072ACB43@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Jan 17, 2010, at 11:41 AM, Adam Barth wrote:

> Whenever we add a new syntax for executing script, there is some risk
> that web sites with weak XSS filters will mistakenly let attackers
> inject scripting using the new syntax.  For example, a web site might
> let an attacker inject the following string:
> 
> <iframe doc="<script>alert(1)</script>">
> 
> The risk from this injection vector is mitigated because a
> regexp-based XSS filter will likely block the @doc attribute from
> containing HTML that executes script.  However, more advanced XSS
> filters that understand how to parse HTML attributes might let that
> string through.
> 
> There area couple of options for resolving this issue:
> 
> 1) Always give documents created with @doc a unique origin.  This
> approach is consistent with the use case of using this attribute for
> untrusted content.
> 
> 2) Change @doc from being an HTML attribute to being a DOM method.
> This approach also makes it impossible for authors to screw up the
> escaping.

Two other possibilies:

3) The presense of doc implies sandboxing.
4) doc doesn't work unless sandbox is also specified

However, these might be vulnerable to sandbox="allow-script allow-same-origin" being injected along with the doc attribute.

Regards,
Maciej
Received on Sunday, 17 January 2010 23:22:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT