[Bug 13587] New: [html5] Potential scheme/content handlers security issues

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13587

           Summary: [html5] Potential scheme/content handlers security
                    issues
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.w3.org/mid/1312266581.13091.3.camel@papyrus
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: mike+html-wg-mailbot@w3.org
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


public-html-comments posting from: Philippe De Ryck
<philippe.deryck@cs.kuleuven.be>
http://www.w3.org/mid/1312266581.13091.3.camel@papyrus

The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Summary 
---------

The specification of custom scheme/content handlers does not really deal
with potential security issues nor does it provide adequate protection
towards users.

Based on: HTML5, 11 July 2011
Relevant Sections: 6.5.1.2. Custom Scheme and Content Handlers

 Issue
-------
The security implications of the use of custom scheme/content handlers
are unclear and underdocumented. The specification does list a number of
concerns, but most of them simply describe the concern and delegate
fixing the issue to the user agent. Additionally, several issues lack
the necessary level of depth (for example, it is unclear why secure URLs
should not be sent to a third-party handler, since unprotected HTTPS
URLs are publicly accessible anyway).

Additionally, no awareness indicators are required, which can be
unintuitive towards users. This becomes especially relevant for handlers
that were registered a long time ago, and since forgotten about.


 Recommended Solution
----------------------

Investigate the potential security consequences and formulate concrete
ways to address them. Including these in the specification will lead to
a uniform and secure implementation by browser vendors.



(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 3 August 2011 05:53:54 UTC