[whatwg] HTML5 frame navigation policy from Adam Barth on 2008-04-30 (public-whatwg-archive@w3.org from April 2008)

From: Adam Barth <hk9565@gmail.com>
Date: Tue, 29 Apr 2008 17:56:14 -0700
Message-ID: <7789133a0804291756i1481073ft8fbad48643fec906@mail.gmail.com>
A couple points about Section 4.1.4:

1) The spec, as written, prohibits frame-busting.

Test case: <http://crypto.stanford.edu/~abarth/research/html5/frame-busting/>

Browser behavior:
* Internet Explorer 8 beta: Navigation allowed.
* Firefox 3 nightly: Navigation allowed.
* Safari 3.1: Navigation allowed.
* Opera 9: Navigation allowed.

Frame-busting is used by many sites, including the Yahoo sign-in page.
 The Yahoo sign-in page uses frame-busting to avoid showing it's
trusted sign-in image while being framed by an attacker (who can
overlay his own password field on top of Yahoo's).

2) The spec reads "The browsing context B an auxiliary browsing
context and either its opener browsing context is A or A is allowed to
naviga e B's opener browsing context."  This is redundant because if
B's opener browser context is A, then A is allowed to navigate B's
opener browsing context.

3) Consider the following set of frames.  A opens X, which opens B.
Now A attempts to navigate B.

Test case: <http://crypto.stanford.edu/~abarth/research/html5/transitive-opener/>

Browser behavior:
* Internet Explorer 8 beta: Navigation allowed (IE does not implement
an opener restriction).
* Firefox 3 nightly: Navigation denied.
* Safari 3.1: Navigation allowed (Safari does not implement an opener
restriction).
* Opera 9: Navigation denied.

The spec allows this navigation because it says "A is allowed to
navigate B's opener browsing context."  Now, A is allowed to navigate
X (by this rule), which means A is also allowed to navigate B (by a
second application of this rule).

I don't have access to the Opera source code, but Firefox's opener
restriction computes just one level of recursion.  Note the branch at
<http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#1991>
and that the function passes PR_FALSE for the parameter
aConsiderOpener when it calls itself recursively.

Adam


On Tue, Apr 29, 2008 at 2:11 AM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 29 Jan 2008, Collin Jackson wrote:
>  > On Oct 26, 2007 3:51 PM, Adam Barth <hk9565 at gmail.com> wrote:
>  > > Collin Jackson and I have been looking at the frame navigation policy
>  > > of various browsers and have a suggestion for improving the frame
>  > > navigation policy in the HTML5 spec.  As we understand the spec [1],
>  > > it is stricter than IE7, Firefox 2, IE6, and Safari 3.
>  >
>  > Since Adam sent this original email, we've been working with browser
>  > vendors to deploy the Ancestor frame navigation policy in browsers. A
>  > description of this policy can be found at
>  > <http://crypto.stanford.edu/frames/>.
>  >
>  > By adopting this policy, HTML5 will match Internet Explorer, Firefox,
>  > and Safari.
>
>  Done.
>
>  Cheers,
>  --
>  Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>  http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>  Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
Received on Tuesday, 29 April 2008 17:56:14 UTC