[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Ian Hickson]

On Thu, 25 Sep 2008, Michal Zalewski wrote:
> 
> I am posting here on the advice of Ian Hickson; I'm new to the list, so 
> please forgive me if any of this brings up long-dismissed concepts; 
> hopefully not.

Thanks for the e-mail.


> Problem definition: a malicious page in domain A may create an IFRAME 
> pointing to an application in domain B, to which the user is currently 
> authenticated with cookies. The top-level page may then cover portions 
> of the IFRAME with other visual elements to seamlessly hide everything 
> but a single UI button in domain B, such as "delete all items", "click 
> to add Bob as a friend", etc. It may then provide own, misleading UI 
> that implies that the button serves a different purpose and is a part of 
> site A, inviting the user to click it. Although the examples above are 
> naive, this is clearly a problem for a good number of modern, complex 
> web applications.

In addition to gadgets, one other type of site that is affected by 
anything we do here would be sites that have UIs like Google Image Search. 
I don't think we should break those either.


I would like feedback from browser vendors on this topic, ideally in the 
form of experimental implementations. Personally I think the idea of 
disabling the contents of a cross-origin iframe that has been partially 
obscured or rendered partially off-screen is the best idea, but whether we 
can adopt it depends somewhat on whether browser vendors are willing to 
adopt it and implement it. It requires no standards changes to implement.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'