Re: Seamless iframes + CSS3 selectors = bad idea from Adam Barth on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 23:34:49 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: Maciej Stachowiak <mjs@apple.com>, sird@rckc.at, public-web-security@w3.org
Message-ID: <7789133a0912052334k2bd70874uf717fa91a2bae98a@mail.gmail.com>

I think you're missing the main attack that sird's worried about:

Assumptions:

1) The attacker can injection content into the target web site, but
cannot injection script.
2) The target site uses secret tokens in hidden input fields as its
CSRF defense.

Consequences:

A) The attacker can mount a CSRF attack against the target web site.

This is bad, but has nothing to do with seamless and everything to do
with these CSS3 selectors.

Adam


On Sat, Dec 5, 2009 at 11:12 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Sat, 5 Dec 2009, Maciej Stachowiak wrote:
>> On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote:
>> >
>> > I think the attack is that you can inject CSS in an unwilling victim
>> > page by embedding it in a seamless iframe (since CSS rules are
>> > supposed to cascade into the iframe's contained document per HTML5).
>> > However, since the contents of a seamless iframe have to be
>> > same-origin, the embedding page could just script it directly. Thus,
>> > I'm not sure what the vulnerability is. It's not safe to put a page on
>> > a given origin that contains data which must not be leaked to other
>> > pages on that origin. If anyone does that, then violating their
>> > mistaken assumption is not XSS. It does seem slightly novel that one
>> > page in a given origin could extract data from another on that same
>> > origin even if JavaScript is disabled.
>>
>> OK, I thought of a possible real vulnerability. A trusted host page on
>> the site wants to embed some untrusted user-generated content with the
>> ability to modify it, so it embeds it, hosted from its own server, using
>> <iframe sandbox="allow-same-origin">. This should prevent scripting and
>> plugins, so in theory it seems safe. But the untrusted content could
>> embed a further iframe with the seamless flag, embedding an arbitrary
>> document from the hosting service. It can then use CSS selectors to
>> probe for data in that document.
>
> Fair enough. I've made the spec make seamless not work inside sandboxed
> iframes.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
>

Received on Sunday, 6 December 2009 07:35:44 UTC