Re: Seamless iframes + CSS3 selectors = bad idea

Hi!

Ok maciej, that makes sense..

Links for example may also hold sensitive information (actually the original
PoC was to read links.. then we figured out that passwords/forms/inputs were
better and easier), and I can see the case where devs want to use them
there.. so it wouldnt be a real option in my opinion.

What about blocking completely:

input[type=hidden][value$=]
input[type=hidden][value^=]
input[type=hidden][value*=]

input[password][value$=]
input[password][value^=]
input[password][value*=]
input[password][value=] (to avoid dictionary attacks)

a[rel*=nofollow][href$=]
a[rel*=nofollow][href^=]
a[rel*=nofollow][href*=]

iframe[src$=]
iframe[src^=]
iframe[src*=]

frame[src$=]
frame[src^=]
frame[src*=]

and eventhandlers as a whole (everything starting with on*) since devs
usually put nonces inthere.

Am I missing something?

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/



On Tue, Dec 8, 2009 at 11:37 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2009/12/8 Maciej Stachowiak <mjs@apple.com>
>
>> Both of these would store any interesting information as text nodes inside
>> the element. I don't believe any current selectors let you select based on
>> text contents of the element.
>>
>
> So the problem is we don't want the selectors to be used for certain
> elements but those elements vary. Then why don't we have a sensitive
> attribute with a HTML element which effectively disables the selectors.
> Something like:-
>
> <input type="text" sensitive="true" />
>
> or selectively enable the selectors like:-
> <input type="text" css-selectors="true" />
>

Received on Tuesday, 8 December 2009 15:53:41 UTC