[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
lcamtuf at dione.cc
Mon Sep 29 15:14:23 PDT 2008
On Tue, 30 Sep 2008, Robert O'Callahan wrote:
> We can easily offer these developers the following options:
> a) developers of privileged gadgets can whitelist domains that they trust to
> not subvert the UI
How is this achieved? If I have a chat ("talk to site owner using your
$foo chat account") or calendar overlay ("see scheduled events overlaid on
your calendar") gadget that is to be embedded freely by third-parties, and
offers a "privileged" UI - even if I require sites to pre-register or
otherwise build a whitelist of these untrusted domains, I have no
assurance they would play nice.
> b) privileged gadgets can be offered to the world as long as the IFRAME's
> own UI is not trusted. For example, gadgets whose purpose is to offer a
> postMessage API to untrusted container pages would be just fine.
Sure, but then it makes the model drastically different, and suitable for
different uses (many privileged gadgets may specifically not want to
disclose any presented information to the top level page).
> c) spawn new windows/tabs to perform or confirm privileged operations
That's a terrible user experience, by most accounts, and goes against the
concept of a gadget; I believe it is often avoided at all costs except
when absolutely necessary (e.g., login, where the user needs the
opportunity to verify URL, SSL status, etc).
More information about the whatwg