W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: ACS (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 17:43:10 +0800
Message-ID: <8ba534860912080143p38cded68i2b0e25732c05bf07@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Hi Adam

Yeah, I'm aware of those documents (and attacks), we've been playing with JS
Sandboxes for quite some time now. I have one here:
http://sandbox.sirdarckcat.net/ feel free to break it =D
Gareth Heyes has another approach here:
http://tinyurl.com/jsreg

I think a similar approach can be used, that's why I think this is possible
on Mozilla at least.

To make this compatible with old browsers maybe:

<script type="text/sandboxed-javascript">

would work.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 5:35 PM, Adam Barth <w3c@adambarth.com> wrote:

> As you suggest, I've started a new thread.
>
> On Tue, Dec 8, 2009 at 1:29 AM, sird@rckc.at <sird@rckc.at> wrote:
> > I also like this option:
> >
> > 4. add a declarative option to <link> and <style> elements to say
> >   the CSS parser should be in a "sandboxed" mode
> >
> > I am doing something like that already on ACS (
> > http://docs.google.com/View?id=ddqtfnx3_381fxp3zjf3 ) but having it on
> HTML5
> > would be greaaat.
> >
> > Would it be possible to add it to <script>? (I also support this on ACS
> > using Gareth Heyes's jsreg : http://tinyurl.com/jsreg ).
> >
> > In script it could work to define functions with a different principal..
> > this way the stuff in there can only work with references it receives
> from
> > user functions (should have the same type of protections Mozilla adds to
> > addons interacting with web content with Wrappers).
>
> It's not as simple as that.  It is very difficult to mix JavaScript
> objects that belong to different principals.  You can do it if you
> constrain the attacker to a "safe" subset of JavaScript like Caja, but
> in general, the attacker can wreck you with leaked pointers.  If you'd
> like to learn more about this, you might be interested in reading:
>
> http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf
>
> and possibly
>
> http://www.adambarth.com/papers/2009/barth-jackson-li.pdf
>
> Adam
>
Received on Tuesday, 8 December 2009 09:44:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT