[whatwg] Security: emphasize that subdomain is not enough for user provided scriptable content

Mikko Rantalainen mikko.rantalainen at peda.net
Tue Aug 28 05:33:01 PDT 2018


The page

   https://html.spec.whatwg.org/dev/iframe-embed-object.html

contains an example that has "usercontent.example.net" instead of e.g. 
"video.example.com" used in the same chapter. It does have a warning saying

> It is important to use a separate domain so that if the attacker
> convinces the user to visit that page directly, the page doesn't run
> in the context of the site's origin, which would make the user
> vulnerable to any attack found in the page.

but I think this should specifically mention that using a subdomain is 
not enough because JavaScript can lift any domain restrictions if only 
the subdomain is different. This difference may not be immediately 
obvious to casual reader especially because both examples also have 
different subdomains which is easier to notice.

I'm not sure how wording should be put because technically 
"example.com." is subdomain of "com." top level domain. And we have 
stuff such as "co.uk.", which makes things even hairier.

I guess that the spec would like to use .example.* domains in all the 
examples but perhaps one could use something more explicit such as

    https://example-usercontent.com/...

for this example in addition to being more explicit about subdomains in 
the warning. That would prevent even casual reader from mixing 
a.example.com and b.example-usercontent.com.

-- 
Mikko


More information about the whatwg mailing list