- From: Adam Barth <ietf@adambarth.com>
- Date: Mon, 4 Oct 2010 22:06:39 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: IRI WG mailing list <public-iri@w3.org>
On Mon, Oct 4, 2010 at 10:00 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Adam Barth wrote: >>[[ >> The in-context evaluation operation necessitates extreme caution in >> deciding where resource identifiers using this scheme are recognized >> and permitted and what facilities are made available to script code, >> like access to private information and operations with side effects. >>]] >> >>I probably would have said something a bit stronger than that. >>JavaScript URLs are a security disaster. I wouldn't recommend their >>use by anyone with a choice in the matter. :) > > Like I noted when I announced the revised draft, there has been some > criticism in that direction, but nobody submitted text and I could not > come up with text that I didn't feel was misleading (most problems > with this scheme are shared by other schemes in one form or another, > so singling this scheme out may be a bad idea). If there was consensus > that the scheme should be deprecated, I'd gladly do that, but that's > not where we are. > > It would be great if there was, say, a peer-reviewed paper that dis- > cusses the poor security record with this scheme in some detail, which > I would gladly reference in the specification, but I have not yet come > across anything like that yet. Yeah, I can't think of something off-hand that would be particularly good to cite. JavaScript URL XSS isn't usually broken out from other kinds of XSS. JavaScript URLs have been particularly problematic in Firefox where JavaScript URLs have been directly responsible for a handful of arbitrary code execution vulnerabilities (read: install malware on your machine). The main reason for that is because Firefox implements its UI using fully privileged HTML-like language and Firefox supports JavaScript URL in the src attribute of image elements. Adam
Received on Tuesday, 5 October 2010 05:15:50 UTC