RE: [WARP] Comments to WARP spec from Marcin Hanclik on 2009-11-19 (public-webapps@w3.org from October to December 2009)

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Thu, 19 Nov 2009 11:38:43 +0100
To: Robin Berjon <robin@berjon.com>
CC: WebApps WG <public-webapps@w3.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C28942D758F@OBEEX01.obe.access-company.com>

Hi Robin,

>>For instance consider a createElement(name, parent, content) method; you could obtain
>>"script" and "alert('I am evil!')" using the same trick, and call
>>createElement("script", document.body, "alert('I am evil!')") - it would work just
>>the same as eval().
Yes, it seems the architecture is simply vulnerable per current design (e.g. in ECMA allowing non-strict eval etc.) and we cannot do too much.

>>Right, it's one of those things that people would've done differently if we'd had a
>>chance to think about the consequences while the web was being organically grown, but
>>that's water under the bridge now.
Keeping the context of having a chance: what about event naming in [1]?

Thanks,
Marcin

[1] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0795.html

Marcin Hanclik
ACCESS Systems Germany GmbH
Tel: +49-208-8290-6452  |  Fax: +49-208-8290-6465
Mobile: +49-163-8290-646
E-Mail: marcin.hanclik@access-company.com

-----Original Message-----
From: Robin Berjon [mailto:robin@berjon.com]
Sent: Thursday, November 19, 2009 11:15 AM
To: Marcin Hanclik
Cc: WebApps WG
Subject: Re: [WARP] Comments to WARP spec

Hi Marcin,

On Nov 19, 2009, at 09:44 , Marcin Hanclik wrote:
> Great thanks for the descriptive example!

A pleasure :)

> The security issue in your example results from the eval that is contained in the html within a widget. So we could assume that if the widget is signed we could somehow rely on its content. Then the evil eval would maybe not be used (at least not in the context you quote).

Perhaps, but the example I used was very straightforward and easy to review - it would be possible for the original HTML to be a trojan with a less obvious attack path.

For instance consider a createElement(name, parent, content) method; you could obtain "script" and "alert('I am evil!')" using the same trick, and call createElement("script", document.body, "alert('I am evil!')") - it would work just the same as eval().

> However, since some images can also be executed, the distinction is de-facto void.

Right, it's one of those things that people would've done differently if we'd had a chance to think about the consequences while the web was being organically grown, but that's water under the bridge now.

--
Robin Berjon - http://berjon.com/

________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.

Received on Thursday, 19 November 2009 10:45:03 UTC