Re: Proposal: Security checks after same-origin revocation with document.domain from Ian Hickson on 2012-06-25 (public-script-coord@w3.org from April to June 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 25 Jun 2012 23:13:47 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <Pine.LNX.4.64.1206252310050.26380@ps20323.dreamhostps.com>

On Mon, 25 Jun 2012, Boris Zbarsky wrote:
> On 6/25/12 3:57 PM, Ian Hickson wrote:
> > C puts code into B that causes the server to reflect markup of C's 
> > choosing into an iframe using A's origin (B's original origin, the 
> > origin used in the Origin: header that B would send when aking the 
> > request to the server). C thus gets control over A.
> 
> Hmm.  It can't actually access the DOM of A, as far as I can tell.  It 
> can obviously run script with the relevant server's principal, of 
> course.

It can load A in an iframe.


> > > They don't assume that right now, and if it actually worked that way 
> > > some things would be pretty broken.
> > 
> > According to you in [1], WebKit and IE _do_ work this way.
> > 
> > http://lists.w3.org/Archives/Public/public-script-coord/2012AprJun/0120.html
> 
> No, they do security checks at Window boundaries.  You're saying that 
> authors should assume those security checks are not there.  But they 
> are, precisely to provide _some_ protection.

But you're arguing this protection is essentially worthless, so it's not 
clear to me why it's worthwhile enough that only providing it doesn't 
break the Web but worthwhile little enough that only providing it would 
break the Web.


> But to actually take advantage of that protection you have to be Really 
> Careful right now.  I'm proposing that we allow authors to be Slightly 
> Less Careful without getting screwed, but teach them to be Really 
> Careful (as in, make sure they drop all non-Window-level references) 
> anyway.  Which they're have to be while there are UAs implementing the 
> old security model on the market.  It's just when they inevitebly screw 
> up being Really Careful they're not automatically vulnerable.

It seems like if we're going to advocate anything to authors, the thing to 
advocate is "forget about document.domain altogether". We now have 
multiple other better solutions to the problems that that feature addresses.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 25 June 2012 23:14:11 UTC