- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 18 Oct 2009 19:47:26 +0000 (UTC)
On Sun, 18 Oct 2009, Ben Laurie wrote: > On Sun, Oct 18, 2009 at 5:37 AM, Ian Hickson <ian at hixie.ch> wrote: > > On Fri, 16 Oct 2009, Ben Laurie wrote: > >> > On Thu, 6 Aug 2009, Andrew Oakley wrote: > >> >> > >> >> - Should the type attribute take precedence over the Content-Type > >> >> header? > >> > > >> > No, I believe what the spec says here is the preferred behaviour. > >> > Unless this is incompatible with legacy content, we should try to move > >> > towards this behaviour. > >> > >> I realise this is only one of dozens of ways that HTML is unfriendly to > >> security, but, well, this seems like a bad idea - if the page thinks it > >> is embedding, say, some flash, it seems like a pretty bad idea to allow > >> the (possibly untrusted) site providing the "flash" to run whatever it > >> wants in its place. > > > > If the site is untrusted, yet you are letting it run flash, then you've > > lost already. Flash can inject arbitrary JS into your page. > > Perhaps I am failing to understand, but if I embed anything from an > untrusted site, then it can choose what type it is - so how would I > prevent it running Flash? You can't exclude one type and allow others, but if you want a very specific type used for a plugin, you can use <embed>. If you just want to allow the untrusted site to do anything, but in their own security context so it can't harm your site, use <iframe>. > > If you are worried about security, I recommend using <iframe>. The new > > sandbox="" feature will help even more, once implemented. > > I am worried about security, and I recommend using Caja - but Caja still > has to output valid HTML/CSS/JS... I don't understand the problem. > > On Fri, 16 Oct 2009, Boris Zbarsky wrote: > >> > >> This cuts both ways. ?If a site allows me to upload images and I > >> upload an HTML file with some script in it and tell it it's a GIF > >> (e.g. via the name) an then put an <object type="text/html" > >> data="http://this.other.site/my.gif"> on my site... ?then I just > >> injected script into a different domain if we let @type override the > >> server-provided header. > >> > >> This is, imo, a much bigger problem than that of people embedding > >> content from an untrusted site and getting content X instead of > >> content Y, especially because content X can't actually access the > >> page that contains it, right? > > > > Indeed. > > You just said it could, above. The example Boris mentioned was HTML. Embedded HTML is always origin-blocked. The example I mentioned earlier was Flash. Flash runs in the context of the embedder page. HTH, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 18 October 2009 12:47:26 UTC