[whatwg] Dealing with UI redress vulnerabilities inherent to the current web from Robert O'Callahan on 2008-09-29 (public-whatwg-archive@w3.org from September 2008)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Mon, 29 Sep 2008 22:32:33 +1300
Message-ID: <11e306600809290232i7a4d03b7x33bdfbeb5ce8a2a7@mail.gmail.com>

On Mon, Sep 29, 2008 at 9:54 PM, Hallvord R M Steen <hallvors at gmail.com>wrote:

> To give webmasters more ways to deal with this situation, I think we
> should implement the Access Control "Origin" HTTP-header only
> (assuming that it should refer to the top site in the frameset
> hierarchy).
>
> Reasoning:
>
> Sites may want to use any of several policies in a "somebody framed
> me" situation. For example, these are all policies a site may want to
> deploy:
>
> 1. nobody may frame my content
> 2. selected sites only may frame my content
> 3. anyone may frame my content but not re-use an existing session
> 4. anyone may frame my content
>
> Giving the site an "Origin: http://www.example.com" HTTP header in the
> intial request lets the backend implement any of these policies.
> Instead of responding with a payload that always includes some variant
> of the proposed "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes"
> header, the site can send or redirect to a framebreaking "embedding
> forbidden" page for policy #1. It can do so selectively based on
> origin site and/or requested content for policy #2. It can kill
> existing cookies, void session and set new origin-specific cookies for
> policy #3.)
>

That's good to have and we should definitely do it, but there are a couple
of reasons "Same-Origin-Only-Unless-Access-Controls-Says-Otherwise" would be
useful as well:
-- a bit simpler to implement on the server
-- for privacy reasons some UAs in some situations might not want to expose
the origin to the IFRAME's server; allowing the origin check to happen on
the client would handle that

IMO the only UI precaution we can/should do if possible is to make
> transparent IFRAMEs "transparent to events" - basically un-focusable.
>

If you check for opacity:0, I can use opacity:0.01. At what level of opacity
would the IFRAME become transparent to events? And it would leave a whole
lot of other attacks wide open. So I don't think it's worth doing anything
here.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/8a529f5d/attachment.htm>

Received on Monday, 29 September 2008 02:32:33 UTC