W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: ACS (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 09:43:51 +0000
Message-ID: <252dd75b0912080143r76463bf9y6704a2c5f240c2c4@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
2009/12/8 Adam Barth <w3c@adambarth.com>

> It's not as simple as that.  It is very difficult to mix JavaScript
> objects that belong to different principals.  You can do it if you
> constrain the attacker to a "safe" subset of JavaScript like Caja, but
> in general, the attacker can wreck you with leaked pointers.
>

I constrain javascript using $$ rewriting. So for example:-

x=alert;
x(1)

Becomes:-
var $x$;$window$.$x$=$x$;
$x$=$alert$;
$x$(Number(1))

The code is executed in a iframe window and every function/property is
whitelisted. var is used to make all variables fallback to local scope and a
fake window object is used when doing stuff like:-
(1,[].sort)() // Firefox leaks window

I run a syntax check using function before and after the conversion. It
seems pretty safe but I haven't really had much help apart from a few people
on sla.ckers. The only drawback is objects that belong to another window, in
that case I need to pass the window scope to check if objects return to
window.
Received on Tuesday, 8 December 2009 09:44:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT