- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 17 Jan 2010 15:22:18 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: HTML WG <public-html@w3.org>
- Message-id: <6545CF0C-78CE-4A4C-A278-9B48072ACB43@apple.com>
On Jan 17, 2010, at 11:41 AM, Adam Barth wrote: > Whenever we add a new syntax for executing script, there is some risk > that web sites with weak XSS filters will mistakenly let attackers > inject scripting using the new syntax. For example, a web site might > let an attacker inject the following string: > > <iframe doc="<script>alert(1)</script>"> > > The risk from this injection vector is mitigated because a > regexp-based XSS filter will likely block the @doc attribute from > containing HTML that executes script. However, more advanced XSS > filters that understand how to parse HTML attributes might let that > string through. > > There area couple of options for resolving this issue: > > 1) Always give documents created with @doc a unique origin. This > approach is consistent with the use case of using this attribute for > untrusted content. > > 2) Change @doc from being an HTML attribute to being a DOM method. > This approach also makes it impossible for authors to screw up the > escaping. Two other possibilies: 3) The presense of doc implies sandboxing. 4) doc doesn't work unless sandbox is also specified However, these might be vulnerable to sandbox="allow-script allow-same-origin" being injected along with the doc attribute. Regards, Maciej
Received on Sunday, 17 January 2010 23:22:52 UTC