W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

ACS (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 01:35:39 -0800
Message-ID: <7789133a0912080135n188fde22o9b2b4b396835b9b8@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
As you suggest, I've started a new thread.

On Tue, Dec 8, 2009 at 1:29 AM, sird@rckc.at <sird@rckc.at> wrote:
> I also like this option:
>
> 4. add a declarative option to <link> and <style> elements to say
>   the CSS parser should be in a "sandboxed" mode
>
> I am doing something like that already on ACS (
> http://docs.google.com/View?id=ddqtfnx3_381fxp3zjf3 ) but having it on HTML5
> would be greaaat.
>
> Would it be possible to add it to <script>? (I also support this on ACS
> using Gareth Heyes's jsreg : http://tinyurl.com/jsreg ).
>
> In script it could work to define functions with a different principal..
> this way the stuff in there can only work with references it receives from
> user functions (should have the same type of protections Mozilla adds to
> addons interacting with web content with Wrappers).

It's not as simple as that.  It is very difficult to mix JavaScript
objects that belong to different principals.  You can do it if you
constrain the attacker to a "safe" subset of JavaScript like Caja, but
in general, the attacker can wreck you with leaked pointers.  If you'd
like to learn more about this, you might be interested in reading:

http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf

and possibly

http://www.adambarth.com/papers/2009/barth-jackson-li.pdf

Adam
Received on Tuesday, 8 December 2009 09:36:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT