[whatwg] Side effects free scripts

Alexey Feldgendler alexey at feldgendler.ru
Sat May 27 09:58:28 PDT 2006 

Some more thoughts on security of scripted documents.

Though sandboxing, as discussed earlier on this mailing list [1], would be  
a powerful tool to ensure security of scripted documents, it's overkill in  
many situations. Analyzing typical vulnerabilities found in web  
applications, I have found that many of them are caused by the possibility  
to trick the user agent into execution of a malicious script. This is  
often achieved by including scripts in unusual places in user-supplied  
code, such as the following text in a blog comment:

<span style="color:expression(...steal cookies...)">LOL!</span>

If the HTML cleaner fails to strip this, too bad. Sometimes, it's more  
complex than that, but the idea is the same: put a script in some  
unexpected place. (Another example:  
style="background:url(javascript:...)".)

Sandboxes would, of course, deal with this, but there is a much simpler  
measure targeted specifically at such exploits.

I propose to define the notion of "side effect free script". All browsers  
which allow scripts in declarations like CSS should only allow side effect  
free scripts in such places.

A script thread should be started in side effect free mode if the script  
is invoked from:

1. Anywhere within CSS, including inline style attributes.

2. Any javascript: URI of external stylesheets, scripts, objects and such.

3. Other ideas?

When a script thread is in side effect free mode:

1. It stays in this mode until the thread completes.

2. It can call any non-native function, but the same restrictions apply.

3. It cannot assign any variables except locals.

4. It cannot call any native function except those specifically marked by  
the spec as side effects free. For example, sin() is side effects free,  
and window.open() is not.

5. It can read any property that can be normally read.

6. It cannot assign any property for which a native setter function is  
used.

7. It cannot create new object instances except those specifically marked  
by the spec as side effects free. For example, RegExp is side effects  
free, and Image is not.

8. Any attempt to break these restrictions should generate an exception.

9. Optionally, execution time limit may be imposed on the thread, so that  
it doesn't make the document unrenderable by running an endless loop  
inside CSS expression().

The above is very raw thoughts. I'd like to hear some feedback on the idea  
itself.

References:

1.  
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2005-December/005301.html


-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com

More information about the whatwg mailing list