Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Maciej Stachowiak on 2009-12-07 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 07 Dec 2009 02:39:41 -0800
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Ian Hickson <ian@hixie.ch>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-id: <DB23B9B1-F315-4DF0-BE38-61EEA406C986@apple.com>

On Dec 6, 2009, at 1:47 PM, Boris Zbarsky wrote:

> On 12/6/09 9:04 AM, Maciej Stachowiak wrote:
>> WebKit uses unique origins for data: URIs, which I think Gecko used  
>> to
>> do as well, but it looks like they have changed. It's a security  
>> hole to
>> use the parent's origin, if you can cause navigation to a data: URI  
>> in a
>> frame in a different-origin parent.
>
> Gecko has used the "parent" origin for data: URIs at least since  
> mozilla bug 31818 was fixed in June 2000.
>
> That said "parent" is not the parent document, but whatever  
> triggered the load, in the following sense:

Right, "whatever triggered the load" is secure, but "parent" literally  
is not. Note that "about:blank" can literally follow a parent/opener  
rule without creating a security problem - it doesn't need to get the  
origin of whatever triggered the load.

>
> 1) If the load happens due to a change in the src attribute of a frame
>   the origin of that frame's owner document is used.
> 2) If the load happens due to a window.location manipulation, the
>   origin of the script performing said manipulation is used.
> 3) If a link click or form submission triggered the load, the origin  
> of
>   the ownerDocument of the <a> or <form> DOM node is used.
> 4) In some cases the origin that's used is the origin of whatever was
>   loaded in the navigation context before the data: load.  None of
>   these cases can be triggered by Web-exposed APIs.
>
> I think that's a more or less complete list; effectively the entity  
> performing the load in Gecko code has to indicate what origin should  
> be used for the load; the above cases so indicate.  If no origin is  
> indicated a nonce origin is used.
>
> We do happen to think that this behavior is secure, and reasonably  
> implementable.  It does have a gotcha for website developers,  
> however: if they allow user-contributed <iframe> or <object>  
> elements and don't vet the "src" and "data" attribute, respectively,  
> it allows the user to inject scriptable content into the page's  
> origin...  I happen to think that not vetting @src and @data is a  
> problem in any case, but apparently some people don't do it.

I do think the Gecko behavior is secure and implementable (I said so  
in another message). I think it would be reasonable for HTML5 to spec  
it. I think what HTML5 says right now does not obviously mach this  
rule. I think it would need to introduce a notion of the origin that  
initiated a load or navigation to get this right. I think that may  
also be necessary for javascript: URIs - the way javascript: URI  
handling is spec'd right now is kind of vague on the origin details.

Regards,
Maciej

Received on Monday, 7 December 2009 10:40:15 UTC