[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Maciej Stachowiak]

On Sep 29, 2008, at 9:42 PM, Ian Hickson wrote:

> On Mon, 29 Sep 2008, Maciej Stachowiak wrote:
>> On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote:
>>>
>>> I'm suggesting just reusing the Access Controls spec for that.
>>>
>>> So for example, the server could say:
>>> Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes
>>> Access-Control-Allow-Origin: http://example.com
>>
>> I think this is a really good proposal. It would allow Web sites to
>> place all content under a single uniform policy for access control,  
>> as
>> opposed to the state today where cross-site access depends on how the
>> resource is embedded.
>
> I don't think this would really work for Google. Many widgets (e.g.  
> the
> mapping widget) are expected to be placed on any site, but how could  
> the
> widget provider know who is evil and who isn't? What about if an  
> otherwise
> not evil site is compromised? (This happens regularly, especially  
> with,
> e.g., sites with forum software or blog software.) We don't want a
> vulnerability in a widget host site to immediately allow this kind of
> attack on all the widgets that that site hosts.
>
> Secondly, consider Google Image Search, or Reddit with its "open  
> link with
> reddit toolbar" option, or any other site that allows arbitrary Web
> navigation in a frame or iframe while hosting some sort of toolbar  
> content
> from its own page in another frame or container page. This option  
> would
> mean that many sites would stop working with these containers, despite
> these containers not doing anything evil (there's no overlapping  
> content,
> the user is fully aware of what's going on, etc).

I did not think of that. But I don't think there has been a solution  
proposed yet that wouldn't break some content under some  
circumstances. This proposal at least has the advantage of not  
involving the layout code in security policy.

Regards,
Maciej