Re: text/sandboxed-html

On Thu, Jun 3, 2010 at 2:55 PM, Artur Adib <arturadib@gmail.com> wrote:
> On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>> Could an attacker use a custom Flash object to force top-level navigation?
>
> Good question.
>
> Adam- Do you happen to know if that's possible in WebKit?  I mean, I
> don't even know if Flash has access to 'top.location', but if it does,
> will @sandbox protect it?

You can run an experiment and see, but, in general, there's no way for
the browser to contain what plug-ins are able to do.  If navigating
the top frame doesn't work today, that's an accident of implementation
and not a security property, which means you can probably find some
tricky way of asking Flash to navigate the top frame that works.

> At any rate, since most of our problems are Javascript-based, that's a
> risk we're willing to take.  Hopefully the plugin APIs will soon
> respect @sandbox, but until then, as I have argued "allow-plugins" is
> still useful, and can be implemented in parallel with the APIs (see my
> previous message).

Unfortunately, that's not a good basis for designing a security
primitive.  We'd prefer to provide security primitives that address
all the avenues an attacker has in a particular threat model rather
than only blocking some attacks.  For example, suppose we do as you
suggest and it's still possible to use Flash to bypass this security
restriction.  In a year or two, you'll have the same problems you have
today, except that all these sites will be using Flash to framebust
rather than JavaScript.

Adam

Received on Friday, 4 June 2010 17:01:44 UTC