W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 22:55:16 -0800
Cc: Ian Hickson <ian@hixie.ch>, sird@rckc.at, public-web-security@w3.org
Message-id: <D3A39D01-3C3D-4125-A1A0-A5DEECD32F4D@apple.com>
To: Maciej Stachowiak <mjs@apple.com>

On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote:

> I think the attack is that you can inject CSS in an unwilling victim  
> page by embedding it in a seamless iframe (since CSS rules are  
> supposed to cascade into the iframe's contained document per HTML5).  
> However, since the contents of a seamless iframe have to be same- 
> origin, the embedding page could just script it directly. Thus, I'm  
> not sure what the vulnerability is. It's not safe to put a page on a  
> given origin that contains data which must not be leaked to other  
> pages on that origin. If anyone does that, then violating their  
> mistaken assumption is not XSS. It does seem slightly novel that one  
> page in a given origin could extract data from another on that same  
> origin even if JavaScript is disabled.

OK, I thought of a possible real vulnerability. A trusted host page on  
the site wants to embed some untrusted user-generated content with the  
ability to modify it, so it embeds it, hosted from its own server,  
using <iframe sandbox="allow-same-origin">. This should prevent  
scripting and plugins, so in theory it seems safe. But the untrusted  
content could embed a further iframe with the seamless flag, embedding  
an arbitrary document from the hosting service. It can then use CSS  
selectors to probe for data in that document.

Received on Sunday, 6 December 2009 06:55:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC