Re: Seamless iframes + CSS3 selectors = bad idea from Maciej Stachowiak on 2009-12-08 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 08 Dec 2009 08:00:47 -0800
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-id: <D0DC348E-60CE-46C2-9E39-7F349A7C56FF@apple.com>

On Dec 8, 2009, at 7:52 AM, sird@rckc.at wrote:

> Hi!
>
> Ok maciej, that makes sense..
>
> Links for example may also hold sensitive information (actually the  
> original PoC was to read links.. then we figured out that passwords/ 
> forms/inputs were better and easier), and I can see the case where  
> devs want to use them there.. so it wouldnt be a real option in my  
> opinion.
>
> What about blocking completely:
>
> input[type=hidden][value$=]
> input[type=hidden][value^=]
> input[type=hidden][value*=]
>
> input[password][value$=]
> input[password][value^=]
> input[password][value*=]
> input[password][value=] (to avoid dictionary attacks)

I'm not sure why input[type=password] requires more protection than  
other input types. It's extremely unlikely for a password to be  
provided in the value attribute, and as mentioned, the value attribute  
only reflects the original default value, not the current value. Some  
examples *were* shown of attacking just plain input[type=text] to grab  
a username, so maybe we should just apply this to inputs in general.


For the remaining examples, I don't understand the threat model enough  
to evaluate the effectiveness. Can you give some examples of sites  
with sensitive information in href, src or on* attributes?

> a[rel*=nofollow][href$=]
> a[rel*=nofollow][href^=]
> a[rel*=nofollow][href*=]
>
> iframe[src$=]
> iframe[src^=]
> iframe[src*=]
>
> frame[src$=]
> frame[src^=]
> frame[src*=]
>
> and eventhandlers as a whole (everything starting with on*) since  
> devs usually put nonces inthere.
>
> Am I missing something?
>
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
>
>
>
> On Tue, Dec 8, 2009 at 11:37 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> 2009/12/8 Maciej Stachowiak <mjs@apple.com>
> Both of these would store any interesting information as text nodes  
> inside the element. I don't believe any current selectors let you  
> select based on text contents of the element.
>
> So the problem is we don't want the selectors to be used for certain  
> elements but those elements vary. Then why don't we have a sensitive  
> attribute with a HTML element which effectively disables the  
> selectors. Something like:-
>
> <input type="text" sensitive="true" />
>
> or selectively enable the selectors like:-
> <input type="text" css-selectors="true" />
>

Received on Tuesday, 8 December 2009 16:01:29 UTC