Re: staticHTML support from Eduardo' Vela on 2011-11-30 (public-web-security@w3.org from November 2011)

From: Eduardo' Vela <evn@google.com>
Date: Wed, 30 Nov 2011 10:17:55 -0800
To: gaz Heyes <gazheyes@gmail.com>
Cc: "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAFswPa8kpYEF75j-386Kxev2As65sQrLsL2ZHHnGys08T9qLuQ@mail.gmail.com>

srcdoc, seamless and sandbox are supposed to solve that problem I think. So
you can modify the parent's innerhtml without destroying the sandbox.
On Nov 30, 2011 12:58 AM, "gaz Heyes" <gazheyes@gmail.com> wrote:

> Not sure it helps in this instance since you'd need a seamless/sandboxed
> iframe for every instance of the operation and what if you want to alter
> innerHTML inside a child node of what you've sandboxed. Unless I'm not
> getting your point. Oh btw this works in IE7 too xD
>
> On 30 November 2011 03:29, sird@rckc.at <sird@rckc.at> wrote:
>
>> You could use iframe@sandbox(allow-same-origin) + seamless to make it
>> secure I think?
>>
>> -- Eduardo
>>
>>
>>
>>
>> On Tue, Nov 29, 2011 at 1:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>
>>> Hi all
>>>
>>> I decided to add staticHTML support in JavaScript. Hopefully this will
>>> be supported by the various vendors and should be much more secure than my
>>> version since you can have access to the DOM before it's rendered but for
>>> now it works via the Element prototype. There were a couple of problems I'd
>>> like to discuss, I couldn't find a way of allowing an element to be
>>> positioned or alter it's dimensions without affecting elements around it.
>>>
>>> For example if an evil user where to do
>>> document.getElementById('x').staticHTML='<a href="//evilsite"
>>> style="position:absolute;left:100px;top:100px;">I'm overlapping something I
>>> shouldn't</a>'; then just via the property there isn't any way I could
>>> figure to protect against it. Maybe you could have an staticHTML area which
>>> would solve the problem by restricting all modifications to this area. Also
>>> I guess styles are useless too since adding directly to the DOM won't allow
>>> styles to be rendered, I could add a staticCssText option which could solve
>>> the problem.
>>>
>>> The other problem I had is that any element which has a class, id or
>>> name must be modified to make it safe from affecting the rest of the page,
>>> you wouldn't want a evil user to assign or modify an existing css class for
>>> example. The only way round this I could see was to prefix the staticHTML
>>> with a staticHTML appid to prevent it from being able to modify outside of
>>> it's zone. Anyway I hope you support it :D
>>>
>>> Blog post here:
>>> http://www.thespanner.co.uk/2011/11/29/statichtml-property/
>>>
>>> Demo here:
>>> http://www.businessinfo.co.uk/labs/staticHTML/staticHTML.html
>>>
>>> Cheers
>>>
>>> Gareth
>>>
>>
>>
>

Received on Wednesday, 30 November 2011 18:18:34 UTC