W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Proposal: Write-only submittable form-associated controls.

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 15 Oct 2014 09:10:18 -0700
Message-ID: <CAAWBYDBBBT5ce94AsOxHRd=MFNmCMSFJZ8Qhj4VO9FV7c5p3oQ@mail.gmail.com>
To: Domenic Denicola <domenic@domenicdenicola.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Mike West <mkwst@google.com>, Jonas Sicking <jonas@sicking.cc>
On Wed, Oct 15, 2014 at 8:59 AM, Domenic Denicola
<domenic@domenicdenicola.com> wrote:
> For the XSS attacker, couldn't they just use `theInput.removeAttribute("writeonly"); alert(theInput.value);`?
>
> Or is this some kind of new "un-removable attribute"?

Doesn't matter if it is or not - the attacker can still always just
remove the <input> and put a fresh one in.

Nothing in-band will work, because the attacker can replace arbitrary
amounts of the page if they're loaded as an in-page script.  It's
gotta be *temporally* isolated - either something out-of-band like a
response header, or something that has no effect by the time scripts
run, like a <meta> that is only read during initial parsing.

~TJ
Received on Wednesday, 15 October 2014 16:11:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC