- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 Jun 2010 10:00:33 -0700
- To: Artur Adib <arturadib@gmail.com>
- Cc: robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
On Thu, Jun 3, 2010 at 2:55 PM, Artur Adib <arturadib@gmail.com> wrote: > On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote: >> Could an attacker use a custom Flash object to force top-level navigation? > > Good question. > > Adam- Do you happen to know if that's possible in WebKit? I mean, I > don't even know if Flash has access to 'top.location', but if it does, > will @sandbox protect it? You can run an experiment and see, but, in general, there's no way for the browser to contain what plug-ins are able to do. If navigating the top frame doesn't work today, that's an accident of implementation and not a security property, which means you can probably find some tricky way of asking Flash to navigate the top frame that works. > At any rate, since most of our problems are Javascript-based, that's a > risk we're willing to take. Hopefully the plugin APIs will soon > respect @sandbox, but until then, as I have argued "allow-plugins" is > still useful, and can be implemented in parallel with the APIs (see my > previous message). Unfortunately, that's not a good basis for designing a security primitive. We'd prefer to provide security primitives that address all the avenues an attacker has in a particular threat model rather than only blocking some attacks. For example, suppose we do as you suggest and it's still possible to use Flash to bypass this security restriction. In a year or two, you'll have the same problems you have today, except that all these sites will be using Flash to framebust rather than JavaScript. Adam
Received on Friday, 4 June 2010 17:01:44 UTC