W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 23:55:38 +0800
Message-ID: <8ba534860912080755p4aaad4ccq4bdf73a54789494b@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
oh and form[action*=],form[action^=],form[action$=]
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, Zhejiang, China

On Tue, Dec 8, 2009 at 11:52 PM, sird@rckc.at <sird@rckc.at> wrote:

> Hi!
>
> Ok maciej, that makes sense..
>
> Links for example may also hold sensitive information (actually the
> original PoC was to read links.. then we figured out that
> passwords/forms/inputs were better and easier), and I can see the case where
> devs want to use them there.. so it wouldnt be a real option in my opinion.
>
> What about blocking completely:
>
> input[type=hidden][value$=]
> input[type=hidden][value^=]
> input[type=hidden][value*=]
>
> input[password][value$=]
> input[password][value^=]
> input[password][value*=]
> input[password][value=] (to avoid dictionary attacks)
>
> a[rel*=nofollow][href$=]
> a[rel*=nofollow][href^=]
> a[rel*=nofollow][href*=]
>
> iframe[src$=]
> iframe[src^=]
> iframe[src*=]
>
> frame[src$=]
> frame[src^=]
> frame[src*=]
>
> and eventhandlers as a whole (everything starting with on*) since devs
> usually put nonces inthere.
>
> Am I missing something?
>
>
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
>
>
>
> On Tue, Dec 8, 2009 at 11:37 PM, gaz Heyes <gazheyes@gmail.com> wrote:
>
>> 2009/12/8 Maciej Stachowiak <mjs@apple.com>
>>
>>> Both of these would store any interesting information as text nodes
>>> inside the element. I don't believe any current selectors let you select
>>> based on text contents of the element.
>>>
>>
>> So the problem is we don't want the selectors to be used for certain
>> elements but those elements vary. Then why don't we have a sensitive
>> attribute with a HTML element which effectively disables the selectors.
>> Something like:-
>>
>> <input type="text" sensitive="true" />
>>
>> or selectively enable the selectors like:-
>> <input type="text" css-selectors="true" />
>>
>
>
Received on Tuesday, 8 December 2009 15:56:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT