RE: [WARP] Comments to WARP spec from Marcin Hanclik on 2009-11-19 (public-webapps@w3.org from October to December 2009)

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Thu, 19 Nov 2009 09:44:48 +0100
To: Robin Berjon <robin@berjon.com>
CC: WebApps WG <public-webapps@w3.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C28942D7576@OBEEX01.obe.access-company.com>

Hi Robin,

Great thanks for the descriptive example!

At first I thought that it all depends on the trust model.
The security issue in your example results from the eval that is contained in the html within a widget. So we could assume that if the widget is signed we could somehow rely on its content. Then the evil eval would maybe not be used (at least not in the context you quote).
So we could have the simple distinction between executable content (js, html) and non-executable content (img, css [until scripts come there] ).

However, since some images can also be executed, the distinction is de-facto void.
Therefore it seems the use case is not doable, because we probably do not want to overload the implementations with [SNIFF] algorithms.

Thanks,
Marcin

Marcin Hanclik
ACCESS Systems Germany GmbH
Tel: +49-208-8290-6452  |  Fax: +49-208-8290-6465
Mobile: +49-163-8290-646
E-Mail: marcin.hanclik@access-company.com

-----Original Message-----
From: Robin Berjon [mailto:robin@berjon.com]
Sent: Wednesday, November 18, 2009 6:37 PM
To: Marcin Hanclik
Cc: WebApps WG
Subject: Re: [WARP] Comments to WARP spec

Hi Marcin,

On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote:
>>> One could request an
>>> image that is redirected to http://address/of/image?put+a+complete+script+here
>>> and then evaluate the query.
> Ok, but then it will still be processed as image and will result in an invalid image, I think.

Not so. Consider the following piece of Perl:

#!/usr/bin/perl
print "Location: img.png?alert('I am evil!')\n\n";

And the following HTML:

<!DOCTYPE html>
<iframe src='img.pl' id='pl'></iframe>
<script>
  window.onload = function () {
      eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1)));
  }
</script>

This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine.

--
Robin Berjon - http://berjon.com/

________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.

Received on Thursday, 19 November 2009 08:45:35 UTC