[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Sat Sep 27 04:41:06 PDT 2008
On Sat, 27 Sep 2008, Robert O'Callahan wrote:
> Default permission of cross-domain loads is responsible for *a lot* of
> problems. Allowing sites to escape that would address a lot of problems,
> even if it is opt-in. Eventually we could hope to reach a state where
> all browsers support it, and most sites request it --- a much saner Web
> IMHO.
Yup, by all means, it solves a lot of other problems - and devising a
*comprehensive* solution (not a new specialty HTTP header to deal with
IFRAMEs and OBJECT/EMBED/APPLETs specifically), even if opt-in, has the
benefit of actually reducing complexity for web app developers (in terms
of custom XSRF / script inclusion checks, etc, that they could ditch).
The issue is, a considerable implementation effort is involved in most of
these comprehensive designs (given how current same-origin checks, and
code taking cross-domain actions with no same-origin checks, is typically
scattered), lots of open questions (e.g., there are some important
performance trade-offs depending on the granularity of resources, the
types of requests we want to run checks on; site-wide policies and per-URL
policies; etc).
On top of that, there seem to be several incompatible proposals from
various groups, with vendors seemingly not willing to back off. Microsoft
is pursuing their proposal for cross-domain policies in MSIE8, Mozilla
devs had another (and every other security researcher has probably their
"own and better" design in the drawer, about to bring it out the moment
they are asked for advice).
Bottom line is, I would be very surprised if such a functionality would be
in a state that can be relied upon by web applications in the next 5-8
years (more if the abysmally slow MSIE6 -> MSIE7 migration is bound to
repeat with next major versions)... and I am not entirely comfortable with
UI redress attacks being around for so long; I suppose most browser
vendors are not happy too, given the recent / likely upcoming press
attention.
Cheers,
/mz
More information about the whatwg
mailing list