[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Elliotte Rusty Harold elharo at metalab.unc.edu
Fri Sep 26 14:19:59 PDT 2008

Michal Zalewski wrote:

> I kinda assumed this suggestion was tongue-in-cheek, but if not - 
> banning cross-domain IFRAMEs to fix one flaw, without providing viable 
> methods for sandboxing untrusted same-origin content, would leave web 
> developers with no tools to deal with quite a few classes of major 
> security issues.

It's tongue-in-cheek that I don't expect it to be adopted or seriously 
considered (this year). It's not tongue-in-cheek in that I very much 
wish it were adopted. That is, I think it's in the realm of the 
desirable, not the possible.

I am curious what issues you see with same origin content. They 
certainly exist, but I tend to feel those are orthogonal to the issues 
at hand, and subject for a separate discussion.

I do think we have an existence proof that security in this realm is 
possible. That's Java. Modulo some outright bugs in VMs (since repaired) 
the default Java applet security model has worked and worked well since 
1.0 beta 1. (1.0 alpha 1 wasn't quite strict enough.) I have seen no 
security design flaws exposed in Java applets in over ten years. That's 
why I suspect duplicating Java's security policy in HTML is a safe way 
forward. I'm skeptical that anything less will suffice.

I don't expect this to happen, however, because many large players are 
exploiting existing security design flaws in the web to do things they 
shouldn't be allowed to do in the first place, especially tracking 
users. Any scheme that limits the ability of advertisers and others to 
track users will be strenuously resisted.

Elliotte Rusty Harold
elharo at metalab.unc.edu

More information about the whatwg mailing list