W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: ACS (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 18:19:13 +0800
Message-ID: <8ba534860912080219i923a669x327ebe9c80c163cb@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Oh, and in this case, my sandbox (Phantom sandbox) I use the native firefox
protection of "nodeless" or "ghost" documents from the generated principal..

So it should be safe.. there are quite a few ways of making a safe js
sandbox, specially if we have browser's support (wrappers + independent
principals mostly).

-- Eduardo

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 5:43 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2009/12/8 Adam Barth <w3c@adambarth.com>
>> It's not as simple as that.  It is very difficult to mix JavaScript
>> objects that belong to different principals.  You can do it if you
>> constrain the attacker to a "safe" subset of JavaScript like Caja, but
>> in general, the attacker can wreck you with leaked pointers.
> I constrain javascript using $$ rewriting. So for example:-
> x=alert;
> x(1)
> Becomes:-
> var $x$;$window$.$x$=$x$;
> $x$=$alert$;
> $x$(Number(1))
> The code is executed in a iframe window and every function/property is
> whitelisted. var is used to make all variables fallback to local scope and a
> fake window object is used when doing stuff like:-
> (1,[].sort)() // Firefox leaks window
> I run a syntax check using function before and after the conversion. It
> seems pretty safe but I haven't really had much help apart from a few people
> on sla.ckers. The only drawback is objects that belong to another window, in
> that case I need to pass the window scope to check if objects return to
> window.
Received on Tuesday, 8 December 2009 10:20:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC