W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: In-browser sanitization vs. a “Safe Node” in the DOM

From: Chris Palmer <palmer@google.com>
Date: Fri, 22 Jan 2016 14:09:55 -0800
Message-ID: <CAOuvq21x21E_dAes+-MV2JMb9pb=+Q4M5xpMKFGm+B7uGKgEaw@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: Craig Francis <craig.francis@gmail.com>, Conrad Irwin <conrad.irwin@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 22, 2016 at 1:53 PM, David Ross <drx@google.com> wrote:

> How, exactly, can we compute whether a given string is an anti-CSRF
> > defense token, and how, exactly, can we compute if CSS just leaked
> > it to the attacker? I don't immediately see how that security guarantee
> > is computable.
> We should probably talk about a specific version of the attack to make
> sure we're on the same page.  (Maybe this one:
> http://html5sec.org/webkit/test)
>

"""My suggestion for a fix would be: simply make sure that scrollbars and
their numerous components and states cannot request external resources once
they appear/change state -- but fetch their stuff onload so we can avoid
attacks like these. The only think making this attack work is the fact that
some parts of the scrollbar loads data from an external machine on
visibility/appearance -- and not on declaration in the style-sheet."""

So you propose to adopt that behavior for CSS applied to children of the
Safe Node?


> I think that if you're only detecting what you're describing above,
> it's too late.  My expectation is that CSS defined within the Safe
> Node would have no affect on the DOM outside of the Safe Node.  Is
> there some reason why this is not possible to implement or that it
> would be ineffective at addressing the issue?
>

I don't know. It doesn't sound easy to implement the guarantee, but maybe
it is. I am not a Blink/rendering engine internals expert.


> > Basically, my argument is that the con — that a general purpose
> > filtering HTML parser would be useful — is huge, and also
> > sufficiently covers your intended goal (duct-taping an anti-pattern).
> > Thus, if we do anything, we should do that.
> Mmm, I lost you here...  How is that a con?  It sounds like just an
> assertion, and one that I wouldn't argue with.  And my intended goal
> is not to get rid of innerHTML, but I'm happy to help by removing
> innerHTML the design pattern I originally suggested.
>
>
You listed it as the sole con:

Cons (relative to sanitization)
> 1) Being able to get sanitized markup is a feature that could have
> non-niche use cases that have yet to be identified.
Received on Friday, 22 January 2016 22:10:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC