[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
lcamtuf at dione.cc
Mon Sep 29 04:41:59 PDT 2008
On Mon, 29 Sep 2008, Hallvord R M Steen wrote:
> To give webmasters more ways to deal with this situation, I think we
> should implement the Access Control "Origin" HTTP-header only (assuming
> that it should refer to the top site in the frameset hierarchy).
I definitely like the "Origin" proposal the most of all the opt-in
schemes, simply because it permits trusted domains to be whitelisted for
many applications that rely on same-origin separation to implement
It still completely ignores the question of how we protect gadgets /
mashups / whatever that are *designed* to be embedded on potentially
untrusted sites, but depend on having the integrity of their UIs
preserved, so I think we need - or well, should - tackle this aspect
separately if this is the consensus for now.
Note that the current implementation proposals for "Origin" headers (which
I believe are limited to non-GET, non-HEAD requests) would not prevent
this attack, nor some other potential attack vectors; they would probably
need to be modified to include "Origin" header on SRC= GET requests on
IFRAME / EMBED / OBJECT / APPLET.
Extending the scheme to include SCRIPT would also cover script-inclusion
attacks; extending it to all automated navigation (SRC=, REL=, scripted
form submissions and location updates, etc) would prevent a broader set of
XSRF and XSS attacks than the original proposal, but that's purely
optional. But the bottom line is, there are some extra birds we could hit
with that stone.
> Sites may want to use any of several policies in a "somebody framed
> me" situation. For example, these are all policies a site may want to
> 1. nobody may frame my content
> 2. selected sites only may frame my content
> 3. anyone may frame my content but not re-use an existing session
> 4. anyone may frame my content
As noted, one important scenario which we do not account for is "5. anyone
may iframe my content, but I want my UI not to get clobbered". This would
realistically be the expectation for almost any privileged / authenticated
gadget to be embedded on third-party pages.
More information about the whatwg