- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 11 Jun 2012 12:40:27 -0700
- To: Eric Chen <eric.chen@sv.cmu.edu>
- Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
On Mon, Jun 11, 2012 at 11:10 AM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > On Mon, Jun 11, 2012 at 10:59 AM, Adam Barth <w3c@adambarth.com> wrote: >> It's actually really easy to use form-action 'none' in modern browsers: >> >> <form id="foo"> >> ... >> </form> >> >> == Some external script == >> >> var theForm = document.getElementById("foo"); >> theForm.addEventListener("submit", function() { >> var xhr = new XMLHttpRequest(); >> xhr.open("POST", theURLToSendTheFormTo); >> xh.send(theForm); >> }, false); >> >> Also, many sites already use XMLHttpRequest for all their >> client-to-server communication, so they wouldn't need to be modified >> at all. > > In this case the attacker can just inject <form id="foo"> and trick the > external script from attaching the event listener to the wrong form tag. Again, you're assuming that the web site doesn't use CSRF tokens. form-action 'none' works out-of-the box for sites like Gmail that use idioms like the following: var theForm = document.createElement("form"); [... build the form DOM ...] theForm.addEventListener("submit", function() { var xhr = new XMLHttpRequest(); xhr.open("POST", theURLToSendTheFormTo); xhr.send(theForm); }, false); In those cases, there's no ID confusion. This approach also plays well with Web Components <http://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html> because Web Components scope their selectors to their <template> elements: <decorator id="tweet-it"> <script src="tweet-it.js"> </script> <template> <form id="tweet"> <textarea name="message"></textarea> <input type="submit" name="tweet"> [...] </form> </template> </decorator> == tweet-it.js == function go(event) { var xhr = new XMLHttpRequest(); xhr.open("POST", theURLToSendTheFormTo); xhr.send(event.target); } this.listen({selector: "#tweet", type: "submit", handler: go}); I'm not arguing that form-action works for everyone. I'm just suggesting that it's far from useless and it plugs one of the bigger holes we'll be left with in a post-XSS future. Adam
Received on Monday, 11 June 2012 19:41:29 UTC