- From: <bugzilla@jessica.w3.org>
- Date: Wed, 03 Aug 2011 05:53:00 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13585 Summary: [html5] Sandbox disables clickjacking protection Product: HTML WG Version: unspecified Platform: Other URL: http://www.w3.org/mid/1312266482.13091.1.camel@papyrus OS/Version: All Status: NEW Severity: normal Priority: P3 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: mike+html-wg-mailbot@w3.org QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org public-html-comments posting from: Philippe De Ryck <philippe.deryck@cs.kuleuven.be> http://www.w3.org/mid/1312266482.13091.1.camel@papyrus The following comment contains detailed information about an issue that was discovered during a recent security analysis of 13 next generation web standards, organized by ENISA (European Network and Information Security Agency), and performed by the DistriNet Research Group (K.U. Leuven, Belgium). The complete report is available at http://www.enisa.europa.eu/html5 (*), and contains information about the process, the discovered vulnerabilities and recommendations towards improving overall security in the studied specifications. Summary --------- Using a sandbox prevents navigation of the top-level browsing context (unless specifically allowed), which disables common clickjacking protection mechanisms. This is problematic if an attacker uses such a sandbox to frame the victim page. Based on: HTML5, 11 July 2011 Relevant Sections: 4.8.2. The iframe element Issue ------- In order to perform a clickjacking attack, an attacker can frame the victim page using a sandbox iframe. The security features of the sandbox prevent the victim page from navigating the top-level browsing context to its own URL, as commonly done in clickjacking protection mechanisms. This effectively disables the victim's page clickjacking protection. Recommended Solution ---------------------- Add the following warning to section 4.8.2 (the iframe element) of the specification: Unwanted sandboxing of legitimate content can disable javascript-based clickjacking protection mechanisms. To prevent such attacks, legitimate content should provde adequate clickjacking protection [1]. [1] Busting frame busting: a study of clickjacking vulnerabilities at popular sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (*) HTML version of the report is available as well: https://distrinet.cs.kuleuven.be/projects/HTML5-security/ -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Wednesday, 3 August 2011 05:53:01 UTC