W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Apr 2011 17:01:47 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9KUl-0005F6-OA@jessica.w3.org>

Tab Atkins Jr. <jackalmage@gmail.com> changed:

           What    |Removed                     |Added
                 CC|                            |jackalmage@gmail.com

--- Comment #2 from Tab Atkins Jr. <jackalmage@gmail.com> 2011-04-11 17:01:46 UTC ---
There doesn't appear to be anything new in this attack.  The basic attack
surface is still just a page author allowing users to put arbitrary content
into the document; all you've done is add an over-complicated way of letting
the attacking script pull extra resources from the server.  This is the same
bog-standard attack vector that has existed since the <script> tag was
invented.  Authors should always sanitize user input.

That said, the @sandbox attribute on <iframe> was created specifically to
address these sorts of situations.  Load the user's data in an iframe with the
sandbox turned on, rather than just writing it directly into the page, and
you're good.  If you don't want to incur a network request for every piece of
user content, load the content with the @srcdoc attribute rather than @src.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Monday, 11 April 2011 17:01:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:46 UTC