W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 30 Sep 2008 10:37:55 +1300
Message-ID: <11e306600809291437u21852726wf729c150dfb815cd@mail.gmail.com>
On Tue, Sep 30, 2008 at 2:44 AM, Michal Zalewski <lcamtuf at dione.cc> wrote:

> Well, so I agree. Yet, given the choice between:
>
>  1) Telling developers that they can't do any "privileged" gadgets safely
>     at all, not theirs, and for reasons that are hard to explain to
>     regular developers too - and pretending that the problem does not
>     exist while people continue to depend on the unsafe logic (because
>     whether we like it or not, seems that gadgets, mashups, and other
>     methods of tightly integrating various applications and data sources
>     on client side is here to stay),
>

We can easily offer these developers the following options:
a) developers of privileged gadgets can whitelist domains that they trust to
not subvert the UI
b) privileged gadgets can be offered to the world as long as the IFRAME's
own UI is not trusted. For example, gadgets whose purpose is to offer a
postMessage API to untrusted container pages would be just fine.
c) spawn new windows/tabs to perform or confirm privileged operations
d) mix of strategies ... for example, gadgets could offer privileged UI to
trusted container pages, but for untrusted containers, attempts to use the
privileged UI would spawn a separate window/tab to perform the operation

We might also be able to help by extending the browser UI, for example by
supporting extra panes like the old Netscape sidebar UI (but better). But to
explore that further, I'd want to better understand the use cases that are
not served by a) b) c) or d) above.

I honestly think that, compared to an extremely complex, mysterious and
ever-changing set of UI threat mitigation strategies, which will inevitably
diverge across browsers and across browser versions and will constantly
interfere with the user experience, the above approach will be actually end
up more attractive to developers.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080930/8a2dac51/attachment.htm>
Received on Monday, 29 September 2008 14:37:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC