Re: Seamless iframes + CSS3 selectors = bad idea from Maciej Stachowiak on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 06 Dec 2009 00:27:35 -0800
To: sird@rckc.at
Cc: Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <D12E7F47-E1AF-4D4C-90A1-B0D84D99C82A@apple.com>

On Dec 6, 2009, at 12:16 AM, sird@rckc.at wrote:

> Hi!
>
> Yeah.. seamless iframes just enhance the scope of the attack to the  
> whole origin (instead of the current page).

I see.

> I tried to persued giorgio maone to lock this selectors on NoScript,  
> but that had a performance loss that wasn't really afordable (I  
> think that was the reason.. giorgio can clarify this).
>
> In any case... as I said before, this CSS3 selectors "new toy" is  
> awesome, I've used it already to:
>
> a[href$=.pdf]::before{content:url(pdficon.gif)}
>
> And it rocks, it really rocks.. but do we really want to give soooo  
> much power to CSS?
>
> I mean, imho, :visited selectors should have been vanished from  
> CSS3.. but well..
>
> I think there should be some security guy in the team (if it exists)  
> that reviews the specs with the power to block features "early" (eg.  
> before people implement them).. as I see the spec is just a whole  
> bunch of new features with un-documented new attack scenarios..  
> quoting gareth heyes.. "if you can think on anything that would make  
> html better for hacking, it has been implemented on HTML 5".
> . (come on.. attributes on closing tags? autofocus? wtf!)

The team that reviews W3C specs consists of anyone who wants to  
review. And you can probably convince implementors not to implement  
things that are insecure by explaining how they are insecure. You have  
to keep in mind though that implementors will trade off potential  
attack surface against usefulness - so anything that's not a blatant  
exploit probably my still get implemented if it's really useful.  
Otherwise we would never add anything to the Web platform.

BTW attributes on closing tags are ignored (they are processed solely  
to allow the right parse errors to be emitted), and autofocus emulates  
something that you can do with script and which many sites already do,  
so it's not clear to me how either creates any vulnerabilities.

Regards,
Maciej

Received on Sunday, 6 December 2009 08:28:09 UTC