W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: ACS (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 18:56:27 +0800
Message-ID: <8ba534860912080256g653ebf06w8a7dc82c9bf5d4af@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
oh btw.. I just notices this thread says ACS..

nice! :D but my main objective was to add sandboxes to HTML.. if it's even
possible at this point.
-- Eduardo

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 6:19 PM, sird@rckc.at <sird@rckc.at> wrote:

> Oh, and in this case, my sandbox (Phantom sandbox) I use the native firefox
> protection of "nodeless" or "ghost" documents from the generated principal..
> So it should be safe.. there are quite a few ways of making a safe js
> sandbox, specially if we have browser's support (wrappers + independent
> principals mostly).
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
> Sent from Hangzhou, 33, China
> On Tue, Dec 8, 2009 at 5:43 PM, gaz Heyes <gazheyes@gmail.com> wrote:
>> 2009/12/8 Adam Barth <w3c@adambarth.com>
>>> It's not as simple as that.  It is very difficult to mix JavaScript
>>> objects that belong to different principals.  You can do it if you
>>> constrain the attacker to a "safe" subset of JavaScript like Caja, but
>>> in general, the attacker can wreck you with leaked pointers.
>> I constrain javascript using $$ rewriting. So for example:-
>> x=alert;
>> x(1)
>> Becomes:-
>> var $x$;$window$.$x$=$x$;
>> $x$=$alert$;
>> $x$(Number(1))
>> The code is executed in a iframe window and every function/property is
>> whitelisted. var is used to make all variables fallback to local scope and a
>> fake window object is used when doing stuff like:-
>> (1,[].sort)() // Firefox leaks window
>> I run a syntax check using function before and after the conversion. It
>> seems pretty safe but I haven't really had much help apart from a few people
>> on sla.ckers. The only drawback is objects that belong to another window, in
>> that case I need to pass the window scope to check if objects return to
>> window.
Received on Tuesday, 8 December 2009 10:57:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT