W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2010

[whatwg] some thoughts on sandboxed IFRAMEs

From: Adam Barth <whatwg@adambarth.com>
Date: Mon, 25 Jan 2010 06:29:42 +0000
Message-ID: <7789133a1001242229o7b978271oe1e1644a10785b40@mail.gmail.com>
On Sun, Jan 24, 2010 at 8:09 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> On Sun, Jan 24, 2010 at 6:19 AM, Adam Barth <whatwg at adambarth.com> wrote:
>> In general, stopping malicious content from exfiltrating data isn't
>> practical. ?For example, even including a single hyperlink is often
>> sufficient to exfiltrate a large amount of data. ?In user agents that
>> prefetch DNS, the user doesn't even need to click on the link.
>
> DNS prefetching doesn't tell you anything except that someone viewed
> the link, right? ?And maybe what their ISP is, in a typical case.
> Including an image tells you their IP address, User-Agent, and so on.

That depends what information the attacker encodes in the host name.
Recall that we're imaging the attacker gets to run JavaScript within
the sandbox, so, for example, the attacker can read the user agent and
encode that in the host name.

> How can you get any data out of a link with no DNS prefetching? ?Some
> users will click the link, but not all. ?Maybe quite a lot if you
> allow arbitrary CSS, of course . . . you could easily make the whole
> post a link. ?But "everyone who clicks on a given post for some
> reason" is still a lot less than "all viewers", which is what image
> inclusions will do.

Well, given that the attacker can use CSS, the attacker can make the
hyperlink fill the entre content area (or at least the area occupied
by the iframe).  The attacker can also use the :hover selector to make
interesting things happen when the user mouses over the link.

The point is that stopping exfiltration is a losing battle that we
shouldn't bother to play.

Adam
Received on Sunday, 24 January 2010 22:29:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:20 UTC