W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Fixing third party content

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 22 Mar 2016 18:47:44 +0000
Message-ID: <CAEeYn8j5FV_9tGjJheQM_GtfW=AP9bCnOcwMAHPiyU-Xhw4L=g@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>, Craig Francis <craig@craigfrancis.co.uk>
Cc: WebAppSec WG <public-webappsec@w3.org>
I chatted with some folks about similar ideas during the W3C digital
marketing workshop.  My thought was to add an attribute to a script tag
that puts the script in a virtualized environment with filtered access to
the DOM, read-only - inspired a bit by the Chrome isolated world security
model for extensions.  I called the idea "frosted glass", as in, today
these 3rd party scripts are standing in the shower with you, but they could
be behind frosted glass - where they can look but not touch, and only to a
limited level of detail.

I think what the filter does would need to have some flexibility.  Ads
might want to be able to see a view of the DOM that includes text content
(and only text content).  Other, more cooperative use cases that are
possibly even more ubiquitous than ads are analytics scripts, which need a
different filter - they want to be able to see certain events firing and
the structure of the page, maybe the class and id attributes of tags, but
should probably not be able to see text content directly.  Or you might
want to specify a one-way transformation as a filter, so the DOM looks
totally realistic but is just hashes/HMACs that only you can make sense of
at scale.

My hope in adding an attribute to a script tag instead of creating a new
type of iframe was that you could continue to use existing things without
having to modify those scripts at all - they would be not be aware they
were getting an information-limited view unless they were changed
specifically to test for that.

On Tue, Mar 22, 2016 at 5:40 AM Yoav Weiss <yoav@yoav.ws> wrote:

> FWIW, I totally agree that the way third party content is embedded today
> is troubling from both security and performance perspectives.
>
> Do you have any documents regarding which type of read access these ad
> providers require? Are you sure read access would satisfy their needs? Are
> ad providers unified regarding these requirements?
>
>
Received on Tuesday, 22 March 2016 18:48:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC