Re: In-browser sanitization vs. a “Safe Node” in the DOM from David Ross on 2016-01-22 (public-webappsec@w3.org from January 2016)

From: David Ross <drx@google.com>
Date: Fri, 22 Jan 2016 11:10:16 -0800
To: Craig Francis <craig.francis@gmail.com>
Cc: Conrad Irwin <conrad.irwin@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAMM+ux4kVC_2tsjgNOC4ZqYLfUU+yqB3DNqcQr=5H+AO0D2tzA@mail.gmail.com>

Anne:
> But if you instead use traversal, cloning, etc. it would be possible?
Can you clarify?  (Not sure if you're comparing with client-side
sanitization, or ?)

> And with sites that use event delegation you could spoof buttons and such.
If some particular design pattern for event delegation is pervasive we
should look at regulating that with a policy, perhaps enabled by
default.  You might imagine the policy affecting event bubbling /
capturing re the Safe Node, or automatically prefixing class names /
IDs, if that would help.  I don't know the most effective solution
offhand, but certainly the browser has everything it needs to regulate
this behavior.

Michaela:
> What makes it a little less useful is the need to again pre-screen
> the data that actually ends up within the safeDiv because .. as I
> understand it " ... untrusted markup injected into the Safe Node markup
> could prematurely close the Safe Node..."
No pre-screening is necessary!  The design pattern has the developer
use innerHTML to specify the unsafe markup.  So it's not possible to
close off the enclosing node.  This only places constraints on what
the developer must do to safely handle markup that makes use of a Safe
Node.  (E.g.: They can't just inject unsafe content into the middle
and assume the resulting markup is safe.)  In most cases hopefully
developers wouldn't need to manipulate the markup of the Safe Node so
this just wouldn't be a worry.

Craig:
> I'd just like to add that I'm also disappointed that a seamless iframe does not seem to be happening.
Yeah.  :-(

Dave

On Fri, Jan 22, 2016 at 8:57 AM, Craig Francis <craig.francis@gmail.com> wrote:
> On 21 Jan 2016, at 23:14, Conrad Irwin <conrad.irwin@gmail.com> wrote:
>
> I think the right way of doing something like this is an iframe (sad to hear
> seamless iframes are going nowhere), but in the absense of that a specific
> tag that implements this would be awesome.
>
>
>
>
> I'd just like to add that I'm also disappointed that a seamless iframe does
> not seem to be happening.
>
> http://caniuse.com/#feat=iframe-seamless
>
> https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-seamless
>
> Quite often I have some content (probably user provided html) that I'd like
> to isolate, and having an iframe which appears like a div (no frame or
> scrolling) was a perfect solution.
>
> Craig
>

Received on Friday, 22 January 2016 19:11:05 UTC