[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Robert O'Callahan robert at ocallahan.org
Thu Sep 25 16:39:43 PDT 2008


On Fri, Sep 26, 2008 at 10:23 AM, Michal Zalewski <lcamtuf at dione.cc> wrote:

> I meant, corner of the container, rather than actual document rendered
> within. If deals strictly with the frame beginning outside the current
> viewport to hide some of its contents, but leave small portions of the UI
> exposed to misdirected clicks. Doing the same check for bottom right is very
> much possible, although does not seem to thwart any particularly plausible
> attacks.


Seems like this will create a really bad user experience. The user scrolling
around in the outer document will make IFRAMEs in it mysteriously become
enabled or disabled.

Jesse Ruderman suggested this in 2002, more or less, and I didn't like then,
and I don't like it any more now.

Anyway, this option 3) will require extension to deal with opacity:0 and SVG
<filter> attacks. That's probably not hard to do, but it's a warning sign
that it might not be very robust as the Web evolves. It also needs to treat
size changes to the IFRAME as decloaking requiring a UI input lockout. In
fact, pretty much any change that makes a lot more of the iframe be exposed
needs to be detected, including stuff like sudden CSS transform rescaling...
Ugh.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080926/c7e48cf1/attachment.htm>


More information about the whatwg mailing list