W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: <sird@rckc.at>
Date: Sat, 29 Jan 2011 22:17:52 -0600
Message-ID: <AANLkTi=gaxSzvk4KT0uw7DUPUXK1DszHQdaPtqx9RmkH@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Gareth Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
FWIW, several people were recommending it to be deprecated in favor of
data URIs (and from what I saw, only Ian was defending it), at the end
it wasn't removed because of security reasons :).

If there isn't a srcdoc, and we only keep src with data URIs, then
this solution would not be backwards compatible. This is because old
browsers that don't understand "sandbox" would just render the HTML
from the data URI in the same origin as the parent doc, which is
dangerous.

So, srcdoc is kinda the same as src+data: URI, but with the advantage
that all UAs that support srcdoc will support sandbox.

I agree with Ian that this is the right behavior, and I actually like
seamless iframes, there are very few disadvantages that I'll just have
to live with (like.. all communication between sandboxed and
unsandboxed content is asynchronous, when it could be synchronous).

Anyways, I digress.. the conclusion, from my point of view is that we
don't need XML data tokens if we have sandboxed iframes with srcdoc.

Greetings!!

-- Eduardo




On Sat, Jan 29, 2011 at 3:49 PM, Adam Barth <w3c@adambarth.com> wrote:
> If you have feedback on srcdoc, you might consider sending that
> feedback to the HTML WG.  I don't believe anyone has implemented
> srcdoc yet, so improvements are likely easier to make now than they
> would be after folk start implementing.
>
> Adam
>
>
> On Sat, Jan 29, 2011 at 1:26 PM, Gareth Heyes <gazheyes@gmail.com> wrote:
>> Well have we not learnt anything, srcdoc takes over src and includes a unlimited amount of encoded html that renders, I can see why a lot of people thought it was a bad idea.
>>
>> I remember your attribute reader point but I didnt realize that attributes could be used for html.
>>
>> Sent from my secret lair
>>
>> On 29 Jan 2011, at 20:28, "sird@rckc.at" <sird@rckc.at> wrote:
>>
>>> If there's srcdoc and src, then srcdoc takes precedence.
>>>
>>> I do agree seamless iframes are kinda shady, and, for example, are
>>> useful for CSS attribute reading, but well.. there was a thread about
>>> this before.
>>>
>>> Greetings
>>> -- Eduardo
>>>
>>>
>>>
>>>
>>> On Sat, Jan 29, 2011 at 3:18 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>>> Haha this is hilarious if seamless iframes are allowed in seamless iframes
>>>> we have a HTML inception vector :D
>>>>
>>>> <iframe sandbox=allow-same-origin seamless=seamless
>>>> srcdoc="&#60;&#105;&#102;&#114;&#97;&#109;&#101;&#32;&#115;&#97;&#110;&#100;&#98;&#111;&#120;&#61;&#97;&#108;&#108;&#111;&#119;&#45;&#115;&#97;&#109;&#101;&#45;&#111;&#114;&#105;&#103;&#105;&#110;&#32;&#115;&#101;&#97;&#109;&#108;&#101;&#115;&#115;&#61;&#115;&#101;&#97;&#109;&#108;&#101;&#115;&#115;&#32;&#115;&#114;&#99;&#100;&#111;&#99;&#61;&#39;&#38;&#35;&#54;&#48;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#48;&#50;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#51;&#50;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#49;&#48;&#59;&#38;&#35;&#49;&#48;&#48;&#59;&#38;&#35;&#57;&#56;&#59;&#38;&#35;&#49;&#49;&#49;&#59;&#38;&#35;&#49;&#50;&#48;&#59;&#38;&#35;&#54;&#49;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#49;&#49;&#59;&#38;&#35;&#49;&#49;&#57;&#59;&#38;&#35;&#52;&#53;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#52;&#53;&#59;&#38;&#35;&#49;&#49;&#49;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#48;&#51;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#49;&#48;&#59;&#38;&#35;&#51;&#50;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#54;&#49;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#51;&#50;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#57;&#57;&#59;&#38;&#35;&#49;&#48;&#48;&#59;&#38;&#35;&#49;&#49;&#49;&#59;&#38;&#35;&#57;&#57;&#59;&#38;&#35;&#54;&#49;&#59;&#38;&#35;&#56;&#52;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#57;&#53;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#57;&#53;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#49;&#49;&#59;&#38;&#35;&#49;&#49;&#57;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#57;&#53;&#59;&#38;&#35;&#49;&#48;&#52;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#54;&#50;&#59;&#38;&#35;&#54;&#48;&#59;&#38;&#35;&#52;&#55;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#48;&#50;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#57;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#54;&#50;&#59;&#39;&#62;&#60;&#47;&#105;&#102;&#114;&#97;&#109;&#101;&#62;"></iframe>
>>>>
>>>> What would be interesting is what happens when there's src and srcdoc,
>>>> because if we find an injection in src attribute we can inject this.
>>>>
>>>> On 28 January 2011 17:55, sird@rckc.at <sird@rckc.at> wrote:
>>>>>
>>>>> Hey!
>>>>>
>>>>> So, yes that's correct :P but you obviously html entify stuff inside
>>>>> the attribute.
>>>>>
>>>>> <iframe sandbox seamless srcdoc="<?php echo
>>>>>
>>>>> strtr($user_input,Array("&"=>"&amp;","\""=>"&quot;","<"=>"&lt;",">"=>"&gt;"));
>>>>> ?>">
>>>>>
>>>>>
>>>>> -- Eduardo
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 28, 2011 at 11:16 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>>>>> On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:
>>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> The attribute "seamless" will do:
>>>>>>>
>>>>>>> 1. If you have b{color:blue} in the doc
>>>>>>> 2. You have:
>>>>>>> <iframe sandbox="allow-same-origin" seamless="seamless"
>>>>>>> srcdoc="<b>xD</b>"></iframe>
>>>>>>> 3. You get, a blue bold "xD".
>>>>>>
>>>>>> So it puts HTML content inside an attribute! How would it handle
>>>>>> entities? I
>>>>>> mean if an attribute is rendering as HTML then does &#39; become '? Who
>>>>>> thought putting HTML in attributes was a good idea? Does that mean stuff
>>>>>> like <a href=javascript&amp;#58;alert(1)>test</a> I like the idea of
>>>>>> externally included sandboxed HTML but not inline.
>>>>>>
>>>>
>>>>
>>
>
Received on Sunday, 30 January 2011 04:18:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 January 2011 04:18:47 GMT