W3C home > Mailing lists > Public > public-html@w3.org > June 2010

Re: text/sandboxed-html

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 4 Jun 2010 10:00:33 -0700
Message-ID: <AANLkTimeSC5f0IWeeJ1nNnbux6wg9IeIJbGt2N1Es6so@mail.gmail.com>
To: Artur Adib <arturadib@gmail.com>
Cc: robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
On Thu, Jun 3, 2010 at 2:55 PM, Artur Adib <arturadib@gmail.com> wrote:
> On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>> Could an attacker use a custom Flash object to force top-level navigation?
>
> Good question.
>
> Adam- Do you happen to know if that's possible in WebKit?  I mean, I
> don't even know if Flash has access to 'top.location', but if it does,
> will @sandbox protect it?

You can run an experiment and see, but, in general, there's no way for
the browser to contain what plug-ins are able to do.  If navigating
the top frame doesn't work today, that's an accident of implementation
and not a security property, which means you can probably find some
tricky way of asking Flash to navigate the top frame that works.

> At any rate, since most of our problems are Javascript-based, that's a
> risk we're willing to take.  Hopefully the plugin APIs will soon
> respect @sandbox, but until then, as I have argued "allow-plugins" is
> still useful, and can be implemented in parallel with the APIs (see my
> previous message).

Unfortunately, that's not a good basis for designing a security
primitive.  We'd prefer to provide security primitives that address
all the avenues an attacker has in a particular threat model rather
than only blocking some attacks.  For example, suppose we do as you
suggest and it's still possible to use Flash to bypass this security
restriction.  In a year or two, you'll have the same problems you have
today, except that all these sites will be using Flash to framebust
rather than JavaScript.

Adam
Received on Friday, 4 June 2010 17:01:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:18 UTC