Re: Seamless iframes + CSS3 selectors = bad idea from gaz Heyes on 2009-12-08 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 09:35:17 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-ID: <252dd75b0912080135x1fb0c03cpedbe408943de7c7a@mail.gmail.com>

2009/12/8 Adam Barth <w3c@adambarth.com>

> That seems to address the proximate issue, but it feel like
> blacklisting.  Are there other related attacks we're not thinking of
> that would make sense to address at the same time?
>

Well my POC used a dictionary attack to get the value of the first name text
field. There could be information disclosure issues in future. These could
be mitigated by limiting the amount of external requests.

Received on Tuesday, 8 December 2009 09:35:50 UTC