W3C home > Mailing lists > Public > public-iri@w3.org > October 2010

Re: [Uri-review] Updated 'javascript' scheme draft

From: Adam Barth <ietf@adambarth.com>
Date: Mon, 4 Oct 2010 22:06:39 -0700
Message-ID: <AANLkTikYuYLsBjvbP=FyJ73s-Zg1VnNv376kp0eh1JTM@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: IRI WG mailing list <public-iri@w3.org>
On Mon, Oct 4, 2010 at 10:00 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Adam Barth wrote:
>>[[
>>   The in-context evaluation operation necessitates extreme caution in
>>   deciding where resource identifiers using this scheme are recognized
>>   and permitted and what facilities are made available to script code,
>>   like access to private information and operations with side effects.
>>]]
>>
>>I probably would have said something a bit stronger than that.
>>JavaScript URLs are a security disaster.  I wouldn't recommend their
>>use by anyone with a choice in the matter.  :)
>
> Like I noted when I announced the revised draft, there has been some
> criticism in that direction, but nobody submitted text and I could not
> come up with text that I didn't feel was misleading (most problems
> with this scheme are shared by other schemes in one form or another,
> so singling this scheme out may be a bad idea). If there was consensus
> that the scheme should be deprecated, I'd gladly do that, but that's
> not where we are.
>
> It would be great if there was, say, a peer-reviewed paper that dis-
> cusses the poor security record with this scheme in some detail, which
> I would gladly reference in the specification, but I have not yet come
> across anything like that yet.

Yeah, I can't think of something off-hand that would be particularly
good to cite.  JavaScript URL XSS isn't usually broken out from other
kinds of XSS.  JavaScript URLs have been particularly problematic in
Firefox where JavaScript URLs have been directly responsible for a
handful of arbitrary code execution vulnerabilities (read: install
malware on your machine).  The main reason for that is because Firefox
implements its UI using fully privileged HTML-like language and
Firefox supports JavaScript URL in the src attribute of image
elements.

Adam
Received on Tuesday, 5 October 2010 05:15:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:52:00 GMT