[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Mon Sep 29 15:14:23 PDT 2008

On Tue, 30 Sep 2008, Robert O'Callahan wrote:

> We can easily offer these developers the following options:
> a) developers of privileged gadgets can whitelist domains that they trust to
> not subvert the UI

How is this achieved? If I have a chat ("talk to site owner using your 
$foo chat account") or calendar overlay ("see scheduled events overlaid on 
your calendar") gadget that is to be embedded freely by third-parties, and 
offers a "privileged" UI - even if I require sites to pre-register or 
otherwise build a whitelist of these untrusted domains, I have no 
assurance they would play nice.

> b) privileged gadgets can be offered to the world as long as the IFRAME's
> own UI is not trusted. For example, gadgets whose purpose is to offer a
> postMessage API to untrusted container pages would be just fine.

Sure, but then it makes the model drastically different, and suitable for 
different uses (many privileged gadgets may specifically not want to 
disclose any presented information to the top level page).

> c) spawn new windows/tabs to perform or confirm privileged operations

That's a terrible user experience, by most accounts, and goes against the 
concept of a gadget; I believe it is often avoided at all costs except 
when absolutely necessary (e.g., login, where the user needs the 
opportunity to verify URL, SSL status, etc).


More information about the whatwg mailing list