W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 23:52:48 +0800
Message-ID: <8ba534860912080752o33661b95p395165f9807921fb@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Hi!

Ok maciej, that makes sense..

Links for example may also hold sensitive information (actually the original
PoC was to read links.. then we figured out that passwords/forms/inputs were
better and easier), and I can see the case where devs want to use them
there.. so it wouldnt be a real option in my opinion.

What about blocking completely:

input[type=hidden][value$=]
input[type=hidden][value^=]
input[type=hidden][value*=]

input[password][value$=]
input[password][value^=]
input[password][value*=]
input[password][value=] (to avoid dictionary attacks)

a[rel*=nofollow][href$=]
a[rel*=nofollow][href^=]
a[rel*=nofollow][href*=]

iframe[src$=]
iframe[src^=]
iframe[src*=]

frame[src$=]
frame[src^=]
frame[src*=]

and eventhandlers as a whole (everything starting with on*) since devs
usually put nonces inthere.

Am I missing something?

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/



On Tue, Dec 8, 2009 at 11:37 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2009/12/8 Maciej Stachowiak <mjs@apple.com>
>
>> Both of these would store any interesting information as text nodes inside
>> the element. I don't believe any current selectors let you select based on
>> text contents of the element.
>>
>
> So the problem is we don't want the selectors to be used for certain
> elements but those elements vary. Then why don't we have a sensitive
> attribute with a HTML element which effectively disables the selectors.
> Something like:-
>
> <input type="text" sensitive="true" />
>
> or selectively enable the selectors like:-
> <input type="text" css-selectors="true" />
>
Received on Tuesday, 8 December 2009 15:53:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT