W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Initial feedback on XBL2

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 4 Sep 2010 19:00:20 -0700
Message-ID: <AANLkTimSp_RVmn5VDTVr_HTcsyaM=xh-5Fp+opdUMJRb@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org, hyatt@apple.com
> body { binding: url(example.xbl#nav-then-main); }

Adding active content via CSS is bad for security.  For example, IE
has removed support for CSS expressions (which execute script) and
Mozilla has removed support for XBL bindings, which, like this
proposal, would allow for script execution from CSS.  Perhaps we
should consider a more secure mechanism for invoking the binding.

Later, the document says:

> Note: Attaching a binding using CSS does not import the binding document. The
> element attributes of binding elements in the binding document do not take effect
> unless the binding document is imported. (See: importing binding documents.)

Does that mean injecting a binding style as above is insufficient to
XSS the document?  The document must first opt in by importing that
binding's document either with the <?xbl?> processing instruction or
the loadBindingDocument() method?  If so, that addresses my concern
above.

> if (event.attrName = 'open') {

Presumably you mean == in this example.

> this.addEventListener('DOMAttrModified', function (event) {

DOM mutation events, and DOMAttrModified in particular, lead to a
number of security and stability problems in implementations.  The
essential problem is that they allow script execution at so many
program points that it's difficult for developers of user agents to
anticipate all the sneaky things scripts can do at those program
points.  I'd recommend avoiding DOM mutation events in examples and
using another mechanism for achieving the same effect.

In particular, DOMAttrModified is not currently implemented in WebKit
and I would expect strong resistance to attempts to implement it.

> Data theft: A na´ve implementation of XBL would allow any document to bind to
> bindings defined in any other document, and (since referencing a binding allows
> full access to that binding document's DOM) thereby allow access to any remote
> file, including those on intranet sites or on authenticated extranet sites. XBL
> prevents this by diallowing cross-origin bindings.

Requiring same-origin bindings certainly helps with that problem, but
there still issues with honest servers hosting untrusted content.  We
should require also that the bindings have a media type of text/html.

It's slightly unclear whether that's sufficient, for example, because
XBL appears to execute content inside the <implementation> element as
script.  It would be more secure to place that content inside a script
element:

<script type="application/xbl-binding-implementation">
</script>

That will also help XBL content parse more consistently in supporting
and non-supporting user agents.

> Secure bindings: Using XBL for bindings that need access to the local filesystem,
> e.g. for implementing File Upload form controls, is not yet handled by this
> specification. However, a future version will provide a secure way to define an XBL
> binding that can be used to implement privileged mechanisms that can then be
> used by other bindings to provide such controls.

That's going to be tricky, but we'll cross that road when we get to it.  :)

> An author can ensure that all bindings are synchronously attached by calling
> loadBindingDocument to pre-fetch any binding documents that are required.

I'm slightly confused by this statement.  The description of
loadBindingDocument seems to indiciate that it loads the bindings
document asynchronously.  Does this mean that once loadBindingDocument
tells you it has succeeded in loading the document, attachment is
thereafter synchronous for bindings in that document?

> When a binding is detached, the xblLeftDocument() method must be invoked on
> the binding's implementation.

Is there are requirement on when this method must be invoked?

> The xblLeftDocument() method is called by the user agent when the bound element,
> or one of its ancestors, or one of the elements in a higher shadow scope, is removed
> from the document.

It's unclear whether this function must be called synchronously.  In
general, synchronous execution of JavaScript from DOM mutation is
undesirable.

> <>img attributes="src#url title alt=*text lang=*lang"/>

Presumably "<>" should be "<".

It doesn't look like you can build an binding that doesn't trust the
document to which it is bound.  A better design would allow for that,
although it looks like it could be difficult given some of the other
design decisions.  If you're interested in that direction, let me know
and I can think more carefully about how we could do it.

Adam
Received on Sunday, 5 September 2010 02:01:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT