[whatwg] Side effects free scripts from Mihai Sucan on 2006-05-27 (public-whatwg-archive@w3.org from May 2006)

From: Mihai Sucan <mihai.sucan@gmail.com>
Date: Sat, 27 May 2006 23:31:56 +0300
Message-ID: <op.s978nictmcpsjg@localhost.localdomain>

Hello!

Le Sat, 27 May 2006 19:58:28 +0300, Alexey Feldgendler  
<alexey at feldgendler.ru> a ?crit:

> Some more thoughts on security of scripted documents.
>
> Though sandboxing, as discussed earlier on this mailing list [1], would  
> be a powerful tool to ensure security of scripted documents, it's  
> overkill in many situations. Analyzing typical vulnerabilities found in  
> web applications, I have found that many of them are caused by the  
> possibility to trick the user agent into execution of a malicious  
> script. This is often achieved by including scripts in unusual places in  
> user-supplied code, such as the following text in a blog comment:
>
> <span style="color:expression(...steal cookies...)">LOL!</span>
>
> If the HTML cleaner fails to strip this, too bad. Sometimes, it's more  
> complex than that, but the idea is the same: put a script in some  
> unexpected place. (Another example:  
> style="background:url(javascript:...)".)
>
> Sandboxes would, of course, deal with this, but there is a much simpler  
> measure targeted specifically at such exploits.

Yes, sandboxes are somehow overkill, like "did the web reach this level  
already?". That's something along the line: "do authors really need such  
advanced capabilities?".

Thinking of sandboxing is like viruses are already running in the wild.  
However, it's better to think forward and take caution.

> I propose to define the notion of "side effect free script". All  
> browsers which allow scripts in declarations like CSS should only allow  
> side effect free scripts in such places.
>
> [...]
>
> 9. Optionally, execution time limit may be imposed on the thread, so  
> that it doesn't make the document unrenderable by running an endless  
> loop inside CSS expression().

Of course. I like Gecko and Konqueror got the execution time limit. It's  
something important, since authors can create malicious pages which bring  
down the entire browser.

> The above is very raw thoughts. I'd like to hear some feedback on the  
> idea itself.

Interesting thoughts, but I don't know why I don't find myself  
enthusiastic about the "side-effect free script" notion you've detailed.  
Maybe something better is still needed.


-- 
http://www.robodesign.ro
ROBO Design - We bring you the future

Received on Saturday, 27 May 2006 13:31:56 UTC