- From: Robin Berjon <robin@berjon.com>
- Date: Thu, 19 Nov 2009 11:14:33 +0100
- To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
- Cc: WebApps WG <public-webapps@w3.org>
Hi Marcin,
On Nov 19, 2009, at 09:44 , Marcin Hanclik wrote:
> Great thanks for the descriptive example!
A pleasure :)
> The security issue in your example results from the eval that is contained in the html within a widget. So we could assume that if the widget is signed we could somehow rely on its content. Then the evil eval would maybe not be used (at least not in the context you quote).
Perhaps, but the example I used was very straightforward and easy to review — it would be possible for the original HTML to be a trojan with a less obvious attack path.
For instance consider a createElement(name, parent, content) method; you could obtain "script" and "alert('I am evil!')" using the same trick, and call createElement("script", document.body, "alert('I am evil!')") — it would work just the same as eval().
> However, since some images can also be executed, the distinction is de-facto void.
Right, it's one of those things that people would've done differently if we'd had a chance to think about the consequences while the web was being organically grown, but that's water under the bridge now.
--
Robin Berjon - http://berjon.com/
Received on Thursday, 19 November 2009 10:15:01 UTC