W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 01:32:23 -0800
Message-ID: <7789133a0912080132t7d578467j56732a42da2e56ee@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 1:24 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> 2009/12/8 Adam Barth <w3c@adambarth.com>
>> One of my favorite parts about security is that "the buck stops here,"
>> meaning finger-pointing about who's responsible for what doesn't
>> really matter.  In the end, we need to consider the security of the
>> system as a whole.
>>
>> If you agree that we ought to do something about the threat of
>> stealing CSRF tokens with attribute selectors, then the question
>> becomes "what should we do?" not "who's responsible for the problem?"
>>
>> So, what should we do?
>
> One possible solution would be to ignore hidden field types and password
> field types when using selectors.

That seems to address the proximate issue, but it feel like
blacklisting.  Are there other related attacks we're not thinking of
that would make sense to address at the same time?

Adam
Received on Tuesday, 8 December 2009 09:33:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT