[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
ian at hixie.ch
Thu Sep 25 14:08:49 PDT 2008
On Thu, 25 Sep 2008, Michal Zalewski wrote:
> I am posting here on the advice of Ian Hickson; I'm new to the list, so
> please forgive me if any of this brings up long-dismissed concepts;
> hopefully not.
Thanks for the e-mail.
> Problem definition: a malicious page in domain A may create an IFRAME
> pointing to an application in domain B, to which the user is currently
> authenticated with cookies. The top-level page may then cover portions
> of the IFRAME with other visual elements to seamlessly hide everything
> but a single UI button in domain B, such as "delete all items", "click
> to add Bob as a friend", etc. It may then provide own, misleading UI
> that implies that the button serves a different purpose and is a part of
> site A, inviting the user to click it. Although the examples above are
> naive, this is clearly a problem for a good number of modern, complex
> web applications.
In addition to gadgets, one other type of site that is affected by
anything we do here would be sites that have UIs like Google Image Search.
I don't think we should break those either.
I would like feedback from browser vendors on this topic, ideally in the
form of experimental implementations. Personally I think the idea of
disabling the contents of a cross-origin iframe that has been partially
obscured or rendered partially off-screen is the best idea, but whether we
can adopt it depends somewhat on whether browser vendors are willing to
adopt it and implement it. It requires no standards changes to implement.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg