- From: Michael A. Puls II <shadow2531@gmail.com>
- Date: Mon, 07 Mar 2011 15:49:13 -0500
On Mon, 07 Mar 2011 15:11:03 -0500, Michal Zalewski <lcamtuf at coredump.cx> wrote: > Hi folks, > > The HTML4 spec said that on <object> and <embed> tags, Content-Type > overrides type=. All browser vendors implemented a different behavior, > however, where type= almost always overrides Content-Type. > > Plugin vendors, in turn, missed that "almost" part, built extensive > security mechanisms, and promoted use cases where one site can embed > Flash movies, PDF documents, simple multimedia, and so on, from > another, untrusted source without suffering substantial security > consequences. For example, Flash exposes allowScriptAccess, > allowNetworking, and allowFullScreen parameters that can be used to > sandbox the loaded content: > > <object data="http://somewhere_funny/" > type="application/x-shockwave-flash"> > <param name="allowScriptAccess" value="never"> > <param name="allowNetworking" value="never"> > <param name="allowFullScreen" value="never"> > </object> > > People embraced this approach in web discussion forums, on online blogs, > etc. > > Unfortunately, there is the "almost" part: in some originally > undocumented cases, browsers permit the attacker to override explicit > type= based on URL file extensions, content sniffing, or Content-Type. > This makes the aforementioned popular use case dangerous, because any > site that wishes to embed a security-restricted Flash movie may end up > embedding a Java applet instead, and Java has unconditional access to > the DOM of the embedding page via DOMService. > > While it can be argued that it's the websites and plugin vendors that > are doing it wrong, the issues with HTML4 spec and actual browser > behavior contributed to it, and it may be prudent to fix the mess. > > HTML5 spec makes an attempt to explicitly sanction the current > behavior, where neither the embedding nor the hosting party have > control over how the content will be displayed, in the specification > for the <object> element. Given the aforementioned situation, I think > this is harmful and needs to be revised. > > In my opinion, the preferred outcome would be to make type= > authoritative when specified, or provide an alternative way of > ensuring specific routing of the retrieved content on markup level. In > addition, to resolve existing problems with non-plugin content being > interpreted as plugin data (e.g. > http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/), it would also > be prudent to provide servers a way to demand rendering only if > Content-Type provided by the server, and type= in the markup, match. > > Thoughts? I agree and for the same reasons as you. Like Boris, I think one should be able to specify this via an attribute. -- Michael
Received on Monday, 7 March 2011 12:49:13 UTC