[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Fri Sep 26 15:34:45 PDT 2008


On Fri, 26 Sep 2008, Elliotte Rusty Harold wrote:

> It's tongue-in-cheek that I don't expect it to be adopted or seriously 
> considered (this year). It's not tongue-in-cheek in that I very much 
> wish it were adopted. That is, I think it's in the realm of the 
> desirable, not the possible.

Oh yup, agreed there; with current DOM manipulation capabilities, and with 
the hopefully upcoming flexible, site-controlled security policies, 
IFRAMEs could probably safely go away in a decade or so for most intents 
and purposes.

> I am curious what issues you see with same origin content. They 
> certainly exist, but I tend to feel those are orthogonal to the issues 
> at hand, and subject for a separate discussion.

Yup, these are best addressed by introducing better security controls wrt 
content sniffing, sandboxing, etc, rather than keeping IFRAMEs around. 
It's just that killing IFRAMEs before these improvements are introduced 
would probably do some harm.

The general problem is, let's assume my application wants to show you a 
third-party gadget, a document of an unknown format sent to you in an 
e-mail, or a raw HTML page that cannot be scrubbed down, or that we do not 
believe we can scrub well enough (this is a very difficult task by itself, 
given browser-specific HTML parsing quirks). Further assume that I want to 
do it within some other, trusted UI, to offer a more intuitive and 
streamlined user experience, instead of creating new minimal, 
non-interactive tabs. The only way to do it right now without risking the 
content gaining control of the UI is to keep it in a separate, untrusted 
"sandbox" domain, and use IFRAMEs to embed the data within the UI. Quite a 
few web apps adopted this approach for better or worse to implement useful 
functionality.

Cheers,
/mz



More information about the whatwg mailing list