- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 21 May 2014 16:45:06 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Wed, May 21, 2014 at 3:59 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, May 20, 2014 at 9:24 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> I think you are confusing issues. Or at least talking about two >> separate issues at once in a way that I'm not sure what you are >> talking about. The issue of "is there an XSS issue with treated blob: >> like we treat data:" is a separate issue from "should we treat >> cross-origin blob: like cross-origin http:, i.e. should we allow >> pointing an <img> to a cross-origin blob:". > > Sure, I'm still at the "is there an XSS issue" here given that we can > pass Blob objects around without restrictions. The fact that we allow passing blobs around is no different from the fact that we allow passing an ArrayBuffer or a string around. Once a page knows that it has the blob/arraybuffer/string the only way to have it XSS you is to eval() it. Hopefully pages know not to do that when receiving a blob/arraybuffer/string from an untrusted party as it pretty obviously will enable that party to XSS you. eval() always *explicitly* runs code in your origin. Likewise, if you receive a blob from an untrusted party, and then do myscriptelement.src = URL.createObjectURL(blob), then that very explicitly will run code in your origin. It should be no surprise that that will cause an XSS risk and so hopefully pages know not to do that. URLs are different though. If you receive a URL from an untrusted party you can generally do window.location = url. Or you can do myiframeelement.src = url and the worst thing you need to worry about is that the contained page can navigate the top frame. And that you can protect against by using a sandbox attribute. It is not at all obvious that this can suddenly run code in your own origin. Designing a secure platform doesn't mean forbidding any action that can cause bad things to happen. Doing that might create a secure platform, but one that probably can't do anything interesting. Designing a secure platform is done by making things that can be insecure be very explicit about what they do. So if someone wants to do something that might be insecure that they have to very explicitly ask for that. Hopefully that will cause them to think twice about it and take any necessary precautions first. / Jonas
Received on Wednesday, 21 May 2014 23:46:04 UTC