- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 6 Jul 2014 21:56:25 -0700
- To: pamela fox <pamela.fox@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I think it's both. If we can prevent the exfiltration of data, we can also > prevent phishing attacks. Well, not per se - you still allow scripts that may ask the users for their credentials and such; you're just hoping that they won't be able to hand these over to a remote server or other document, right? Unfortunately, the latter, I think, is probably ~impossible :-( postMessage() is just one example, but there is a multitude of ways that JavaScript in a sandbox can communicate with the outside world without navigation or direct requests; for example, it's fairly straightforward to relay messages by modulating CPU load, by putting them in window.name or similar places, etc. There have been quite a few academic papers that hinged on the assumption that such side channels do not exist or can be suppressed reliably, but I haven't seen anything that would seem realistic, TBH :-( ( In fact, the earliest experiment back in Netscape Navigator days is probably http://docstore.mik.ua/orelly/web/jscript/ch20_04.html ) /mz
Received on Monday, 7 July 2014 04:57:15 UTC