W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 17:37:21 +0800
Message-ID: <8ba534860912080137y78fbe92el32457bd47ff58a43@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Reading links wouldn't be protected by gareth solution. (nonces on links for
example, and other potential sensitive information..).

Btw, I think NoScript will start protecting it's users against this attack
on the near future (kudos to Giorgio).. it's a bit complicated because of
@charset rules and UTF BOMs.. but it's probably gonna work.. he is going to
disable attribute selectors (*=, ^=, $=) on some cases.. I'm not aware of
the details yet.. but I think that's great news!!

-- Eduardo

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Tue, Dec 8, 2009 at 1:24 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> > 2009/12/8 Adam Barth <w3c@adambarth.com>
> >> One of my favorite parts about security is that "the buck stops here,"
> >> meaning finger-pointing about who's responsible for what doesn't
> >> really matter.  In the end, we need to consider the security of the
> >> system as a whole.
> >>
> >> If you agree that we ought to do something about the threat of
> >> stealing CSRF tokens with attribute selectors, then the question
> >> becomes "what should we do?" not "who's responsible for the problem?"
> >>
> >> So, what should we do?
> >
> > One possible solution would be to ignore hidden field types and password
> > field types when using selectors.
> That seems to address the proximate issue, but it feel like
> blacklisting.  Are there other related attacks we're not thinking of
> that would make sense to address at the same time?
> Adam
Received on Tuesday, 8 December 2009 09:38:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC