[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Hi Maciej,

Does OS X (or the iPhone for that matter) support Java 6 yet?

And were all these security bug reports you keep seeing to do with Java in
general, or the Apple version in particular?

Would "Strict Same Origin" policy not be useful as an optional (perhaps
default) configuration?

Cheers Richard Maher

----- Original Message ----- 
From: "Maciej Stachowiak" <mjs@apple.com>
To: <elharo at metalab.unc.edu>
Cc: <whatwg at lists.whatwg.org>; "Michal Zalewski" <lcamtuf at dione.cc>
Sent: Tuesday, September 30, 2008 12:22 PM
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent to
the current web


>
> On Sep 26, 2008, at 2:19 PM, Elliotte Rusty Harold wrote:
>
> > Michal Zalewski wrote:
> >
> >> I kinda assumed this suggestion was tongue-in-cheek, but if not -
> >> banning cross-domain IFRAMEs to fix one flaw, without providing
> >> viable methods for sandboxing untrusted same-origin content, would
> >> leave web developers with no tools to deal with quite a few classes
> >> of major security issues.
> >
> > It's tongue-in-cheek that I don't expect it to be adopted or
> > seriously considered (this year). It's not tongue-in-cheek in that I
> > very much wish it were adopted. That is, I think it's in the realm
> > of the desirable, not the possible.
> >
> > I am curious what issues you see with same origin content. They
> > certainly exist, but I tend to feel those are orthogonal to the
> > issues at hand, and subject for a separate discussion.
> >
> > I do think we have an existence proof that security in this realm is
> > possible. That's Java. Modulo some outright bugs in VMs (since
> > repaired) the default Java applet security model has worked and
> > worked well since 1.0 beta 1. (1.0 alpha 1 wasn't quite strict
> > enough.) I have seen no security design flaws exposed in Java
> > applets in over ten years. That's why I suspect duplicating Java's
> > security policy in HTML is a safe way forward. I'm skeptical that
> > anything less will suffice.
>
> Java's security policy is also looser in some ways. For example, it
> allows the applet to connect to any port on the origin server. This
> has at times caused Java applets to be subject to vulnerabilities that
> did not affect plain HTML+JS+CSS (more recently than in the past 10
> years). The general Web same-origin policy considers the port as well
> as the host to be part of the origin.
>
> More generally, I am on Apple's internal incoming security bug list,
> and I see Java applet security bugs all the time, so I think whatever
> the strength of the model may be, it does not lead to Java applets
> being secure in practice.
>
> And finally, the key question for whether strict same-origin can work
> it not one of security but of functionality and usability. The trend
> in recent years has been for browsers to punch more controlled holes
> in the same-origin policy to fulfill the frequent desire of Web
> application developers to communicate with other servers from the
> client side. This is desirable so that "AJAX" apps (where most of the
> logic and functionality is client-side) can make use of third-party
> Web services APIs, in the same way that native apps can, without
> having to round-trip through their own server. I do not see this trend
> reversing any time soon.
>
> In conclusion I think limiting the Web to 100% strict same-origin
> would not be desirable even in an ideal world where compatibility
> issues are not a concern.
>
> > I don't expect this to happen, however, because many large players
> > are exploiting existing security design flaws in the web to do
> > things they shouldn't be allowed to do in the first place,
> > especially tracking users. Any scheme that limits the ability of
> > advertisers and others to track users will be strenuously resisted.
>
> For the record, neither Apple nor the WebKit project have any strong
> commercial interest in the ability of advertisers or others to track
> users.
>
> Regards,
> Maciej
>
>

Received on Wednesday, 29 October 2008 02:50:51 UTC