- From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
- Date: Tue, 21 Feb 2006 13:31:51 +0900
On 12 Feb 2006 at 0:43, Alexey Feldgendler wrote: > > This is very hard to implement. AFAIK no UA's JavaScript engine has a > > concept of the "origin" of a function. > > Gecko has... Almost. Actually, it has internal data structures which seem > suitable for origin tracking. Great that you keep investigating that :-) > > Caveat: I'm not a programmer, just a tester. > > Though I'm a programmer, I've never taken part in browser development. We > really need an opinion of a browser script engine developer. Now, I've been asking around and I've been allowed to forward some E- mails to the list. Here is the initial response from a core DOM support developer: <q> What is or what isn't technically simple to implement in existing implementations should perhaps not be what decides how specifications are written. It is clear that it is possible to implement per-function security tracking (though slightly unclear how such security tracking should work; which of all currently executing functions determine the security context?) It is also clear that it hasn't been exactly been required by implementations yet, so it is likely that an implementation doesn't have it already. And since it involves storing more information, implementing it is likely to cost some in terms of memory use. And since it complicates the security mechanisms, it is questionable that it is at all a good idea. I haven't followed the discussion on the list very closely, but it sounded to me like a problem best solved some other way. </q> [on the proposed HTTP headers for content restriction] <q> why doesn't the author simply make sure to serve the untrusted content from another server (with another host name or port number, that is, not necessarily another machine)? Then the current security policies will work fine, and in all current browsers too, as a bonus. Or is there a need to share some information between documents but still have custom restrictions? </q> (That might work for webmail but maybe not for blogs?) > >>> Also, how do you prevent inner "safe" script from e.g. overlaying > >>> content on top of any arbitrary part of the page using absolutet > >>> positioning? > Can't the containing page take care of this with stylesheets? Specifying > overflow:clip and something like that for the sandbox element. overflow:hidden would solve it, yes (though it means that any bugs in overflow:hidden support become potential security issues). > > Regarding SANDBOX when I look at the discussion and points raised so > > far I sort of get the feeling that we are re-inventing IFRAME... > IFRAME and other such elements (e.g. OBJECT) are very different from > SANDBOX because they require loading of external content. Not with data: uri support in clients :-) I know what you mean though.. > It would be very > ineffective for, say, a blog page to load each entry with a separate HTTP > request. A sandbox is more like an "inline IFRAME", I mean, an IFRAME > whose content is contained inside the element and not in an external > resource. An inline inline frame then :-) My DOM expert comments again, on <SANDBOX>: <q> Seems that brings another (although simpler) set of problems though: what if the untrusted content contains a "</SANDBOX>" tag, or if it ends with "<!--", or possibly other syntax anomalies? What if it doesn't contain exactly that, but something else that triggers equivalent behaviour in the HTML parser in some implementation? HTML parser are traditionally quite complex, and quite "fuzzy". The fuzziness hasn't been a security problem before, now all of a sudden it might be. On the other hand: this would be introduced in a specification that also specifies how an HTML parser should work. </q> Did we discuss how the UA should handle a closing </sandbox> tag? Would it need to scan forward in the markup to find other closing tags and determine if the current one is a part of the enclosed markup or the end of the SANDBOX in that page? Perhaps only the first and the last SANDBOX open/close tags can be taken into account and others discarded? -- Hallvord Reiar Michaelsen Steen hallvord at hallvord.com http://www.hallvord.com/ Assuming that communication is possible is more fun
Received on Monday, 20 February 2006 20:31:51 UTC