Re: Seamless iframes + CSS3 selectors = bad idea from gaz Heyes on 2009-12-08 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 09:24:11 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-ID: <252dd75b0912080124x45309c58xd81534069440afad@mail.gmail.com>

2009/12/8 Adam Barth <w3c@adambarth.com>

> One of my favorite parts about security is that "the buck stops here,"
> meaning finger-pointing about who's responsible for what doesn't
> really matter.  In the end, we need to consider the security of the
> system as a whole.
>
> If you agree that we ought to do something about the threat of
> stealing CSRF tokens with attribute selectors, then the question
> becomes "what should we do?" not "who's responsible for the problem?"
>
> So, what should we do?
>

One possible solution would be to ignore hidden field types and password
field types when using selectors. So for example:-

<style>
input[value*="a"]#token {
/*
Any rules are disabled or limited as the field type is hidden
*/
}
</style>
<input type=hidden id=token value=supersecret>

Received on Tuesday, 8 December 2009 09:24:55 UTC