[whatwg] Sandboxing ideas
Michel Fortin
michel.fortin at michelf.com
Mon May 14 20:13:43 PDT 2007
Le 2007-05-14 à 17:11, Alexey Feldgendler a écrit :
> On Mon, 14 May 2007 22:29:57 +0200, Michel Fortin
> <michel.fortin at michelf.com> wrote:
>
>> If you want the sandbox to degrade securely in older browsers,
>> then this is not a solution. But I don't think there's a nice
>> solution to that anyway.
>
> This does degrade securely, doesn't require separate HTTP requests,
> and maintains human readability.
> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2005-December/
> 005301.html
Quoted from there:
> 7.1. There are new elements: <safe-script>, <safe-object>, <safe-
> iframe>
> (did I forget something?). They are equivalent to their "unsafe"
> counterparts, except that the existing browsers simply ignore them.
> HTML
> cleaners should replace <script> with <safe-script> and likewise.
>
> 7.2. HTML event handler attributes are mangled likewise: safe-
> onclick, for
> example. Note that this doesn't affect the names of DOM properties
> like
> element.onclick.
>
> 7.3. A new URI scheme is introduced: "safe-javascript:". Likewise.
People are already struggling to remove all scripts from HTML
snippets. I don't think finding all these occurrence and replacing
them is going to be much better. Also, you'd need safe-style="" and
<safe-style> too, since IE can embed javascript expressions into
style rules. (And now lets hope IE does not allow expression elsewhere.)
<sandbox>, as suggested above, does not degrade securely in my
opinion, not without complex preprocessing with workarounds for
every browser's features. Today's browsers don't understand the
<sandbox> element and will execute enclosed scripts with full access
to the page, and I doubt many web developers will get that
preprocessing right (so much things to think about).
I my last reply:
> Le 2007-05-14 à 16:19, Alexey Feldgendler a écrit :
>
>> Not to mention that data: URIs are ugly, wasteful (because of the
>> BASE64 encoding), cannot be read and written by humans directly,
>> and have maximum length problems in some implementations.
>
> I think you can use HTTP compression to work around the inflated
> size of Base64, but otherwise it certainly is ugly and not human
> readable.
Thinking more about it now, you don't need Base64 encoding. This can do:
<iframe src="data:text/html;charset=utf-8,
<!DOCTYPE HTML>
<p>"Unsafe" content here:</p>
<script>
document.write(window.parent.location)
</script>
"></iframe>
(Tested to work in Safari and Camino.)
The interesting bit is that a failure to correctly encode quotes
within the inner document URL is an easy-to-notice mistake as it'll
cause the page to behave badly visually, making it unlikely that web
developers forget about it and leave holes for attackers to insert
other attributes or tags in the page's content.
This principle could be transposed to <sandbox>, where it could be
defined as taking the unsafe HTML content from an attribute. And the
best part: you don't need anything else like the safe-* substitutions
as suggested earlier for <sandbox>:
<sandbox type="text/html" content="
<p>"Unsafe" content here:</p>
<script>
document.write(window.parent.location)
</script>
">
Alternative, possibly degraded but safe content for older
browsers.
</sandbox>
This would allow authors to make sandboxes that degrade both
"securely" (as shown above) and "unsecurely" (by placing the same
content as alternative content, exposing the whole page to the script
for older browsers while keeping it sandboxed on the new ones).
Michel Fortin
michel.fortin at michelf.com
http://www.michelf.com/
More information about the whatwg
mailing list