W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 08 Dec 2009 07:07:59 -0800
Cc: Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-id: <73EA591F-2742-4DC0-89DE-1D3B0FCC659F@apple.com>
To: gaz Heyes <gazheyes@gmail.com>

On Dec 8, 2009, at 1:24 AM, gaz Heyes wrote:

> 2009/12/8 Adam Barth <w3c@adambarth.com>
> One of my favorite parts about security is that "the buck stops here,"
> meaning finger-pointing about who's responsible for what doesn't
> really matter.  In the end, we need to consider the security of the
> system as a whole.
>
> If you agree that we ought to do something about the threat of
> stealing CSRF tokens with attribute selectors, then the question
> becomes "what should we do?" not "who's responsible for the problem?"
>
> So, what should we do?
>
> One possible solution would be to ignore hidden field types and  
> password field types when using selectors. So for example:-
>
> <style>
> input[value*="a"]#token {
> /*
> Any rules are disabled or limited as the field type is hidden
> */
> }
> </style>
> <input type=hidden id=token value=supersecret>

Another possibility is to specifically blacklist the use of the  
contents of the "value" attribute in attribute selectors for elements  
in the HTML namespace. Either all elements, or specifically input  
elements, or more specifically input elements of type password or  
hidden.

I think that is better than making attribute selectors not work with  
those elements at all. People validly use attribute selectors on form  
controls based on the "type" attribute to style them.

Regards,
Maciej
Received on Tuesday, 8 December 2009 15:08:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT