Re: Proposal: Security checks after same-origin revocation with document.domain from Ian Hickson on 2012-06-26 (public-script-coord@w3.org from April to June 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 26 Jun 2012 02:08:42 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <Pine.LNX.4.64.1206260200240.26380@ps20323.dreamhostps.com>

On Mon, 25 Jun 2012, Boris Zbarsky wrote:
> On 6/25/12 7:13 PM, Ian Hickson wrote:
> > It can load A in an iframe.
> 
> Ah, fair.  So yes, reflecting random markup off the server is bad.  ;)

So is taking references to nodes on other sensitive pages before changing 
your security context. :-)

> > > No, they do security checks at Window boundaries.  You're saying 
> > > that authors should assume those security checks are not there.  
> > > But they are, precisely to provide _some_ protection.
> > 
> > But you're arguing this protection is essentially worthless
> 
> No, I'm arguing this protection is hard to work with.  That's not the 
> same thing.  _You_ are arguing it's worthless.

I wasn't really arguing anything more specific than "we don't value 
document.domain", but if I had to argue something, it would likely be that 
it's not that difficult to not screw this up, at least no harder than the 
many other equally dangerous things one must do, like correctly escaping 
HTML from user generated content.

> I think providing what's in the spec now makes some existing things work 
> and makes it _possible_ to write pages that are safe but very difficult 
> to do so.
> 
> I think doing security checks (if needed; note that a UA can optimize 
> many of these away for actual same-origin access) on a larger set of 
> objects would make it _easier_ to write pages that are safe (though not 
> completely foolproof, as your markup reflection example points out).

I don't fundamentally object to adding these requirements, if everyone 
wants to implement them. After all, I'm going to spec whatever the 
browsers do, at the end of the day. But given that these problems only 
occur when you use document.domain, and given that document.domain is a 
security disaster waiting to happen even if we do this, I really don't see 
much point. I'd much rather have document.domain throw a big red warning 
in the console and advocate for its demise.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 26 June 2012 02:09:08 UTC