[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Anne van Kesteren
annevk at opera.com
Sat Sep 27 04:36:28 PDT 2008
On Sat, 27 Sep 2008 13:41:06 +0200, Michal Zalewski <lcamtuf at dione.cc>
> On Sat, 27 Sep 2008, Robert O'Callahan wrote:
>> Default permission of cross-domain loads is responsible for *a lot* of
>> problems. Allowing sites to escape that would address a lot of
>> problems, even if it is opt-in. Eventually we could hope to reach a
>> state where all browsers support it, and most sites request it --- a
>> much saner Web IMHO.
> Yup, by all means, it solves a lot of other problems - and devising a
> *comprehensive* solution (not a new specialty HTTP header to deal with
> IFRAMEs and OBJECT/EMBED/APPLETs specifically), even if opt-in, has the
> benefit of actually reducing complexity for web app developers (in terms
> of custom XSRF / script inclusion checks, etc, that they could ditch).
> The issue is, a considerable implementation effort is involved in most
> of these comprehensive designs (given how current same-origin checks,
> and code taking cross-domain actions with no same-origin checks, is
> typically scattered), lots of open questions (e.g., there are some
> important performance trade-offs depending on the granularity of
> resources, the types of requests we want to run checks on; site-wide
> policies and per-URL policies; etc).
Could you list these comprehensive designs perhaps?
> On top of that, there seem to be several incompatible proposals from
> various groups, with vendors seemingly not willing to back off.
> Microsoft is pursuing their proposal for cross-domain policies in MSIE8,
> Mozilla devs had another (and every other security researcher has
> probably their "own and better" design in the drawer, about to bring it
> out the moment they are asked for advice).
Are you talking about cross-site requests here? FWIW, for that particular
problem I believe all vendors agree on the same server protocol, but not
on the request mechanism. That is, non-Microsoft will do that by evolving
XMLHttpRequest (see XMLHttpRequest Level 2) and Microsoft does it through
However, that's an opt _in_ API as such requests are by default not
Anne van Kesteren
More information about the whatwg