W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 01:40:59 -0800
Message-ID: <7789133a0912080140s4e807078r33c379dfcebae820@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 1:37 AM, sird@rckc.at <sird@rckc.at> wrote:
> Reading links wouldn't be protected by gareth solution. (nonces on links for
> example, and other potential sensitive information..).

That's a good example, thanks.

> Btw, I think NoScript will start protecting it's users against this attack
> on the near future (kudos to Giorgio).. it's a bit complicated because of
> @charset rules and UTF BOMs.. but it's probably gonna work.. he is going to
> disable attribute selectors (*=, ^=, $=) on some cases.. I'm not aware of
> the details yet.. but I think that's great news!!

Does Giorgio have a way to measure how commonly he blocks these
things?  That would be useful information for evaluating the costs of
disabling attribute selectors entirely.  Before Daniel jumps all over
me, I'll say that it's a data point that's worth knowing in balancing
the security costs of a feature with its benefits.

Adam
Received on Tuesday, 8 December 2009 09:41:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT