W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 01:48:06 -0800
Message-ID: <AANLkTinq2W0iqyNdHuu00knESVTvf37_tMjWXmbnEK5f@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> Also, what if a frame is moved underneath the cursor just milliseconds
> before the user clicks something - in which case, the tooltip appears
> too late to allow for any meaningful reaction?

It is probably also worth noting that looking at clickjacking as an
IFRAME-specific problem may be a bit too narrow. Consider this crude
Firefox proof-of-concept (still working):

http://lcamtuf.coredump.cx/ffgeo2/

Worse than that, the problem is also not specific to mouse clicks;
redirecting keyboard entry to off-screen frames is an issue, too (see,
cough, strokejacking for a particularly dramatic case - now mostly
fixed).

I think there is a lot that needs to be done to make browsers
resilient to attacks that seek to route user input contrary to
victim's intent, and sadly, much of the changes needed for that go
against the current browser UI design paradigms ("blazing fast and
simple"), and some of the concepts behind HTML:

http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html

This is so unrelated to Adam's original post (or even the subsequent
discussion of CSP) that we should probably get our own thread if we
want to go there ;-)

/mz
Received on Friday, 21 January 2011 09:48:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 09:48:59 GMT