[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Robert O'Callahan robert at ocallahan.org
Mon Sep 29 15:25:55 PDT 2008

On Tue, Sep 30, 2008 at 11:14 AM, Michal Zalewski <lcamtuf at dione.cc> wrote:

> On Tue, 30 Sep 2008, Robert O'Callahan wrote:
>  We can easily offer these developers the following options:
>> a) developers of privileged gadgets can whitelist domains that they trust
>> to
>> not subvert the UI
> How is this achieved? If I have a chat ("talk to site owner using your $foo
> chat account")

If the chat gadget is configured to only talk to the site owner, how can it
be abused? I suppose the site owner can discover the chat nick of a visitor
who otherwise wouldn't want to disclose it. That's a risk that the chat
system developers might very well be willing to accept.

or calendar overlay ("see scheduled events overlaid on your calendar")
> gadget that is to be embedded freely by third-parties,

If it's read-only, again, what's the risk? The user might want to interact
with the IFRAME to scroll and search, but even if those are spoofed, there's
no way for the container to abuse this, as far as I can tell.

I understand there are more interesting examples, but these ones don't seem
to make your case.

>  c) spawn new windows/tabs to perform or confirm privileged operations
> That's a terrible user experience, by most accounts, and goes against the
> concept of a gadget; I believe it is often avoided at all costs except when
> absolutely necessary (e.g., login, where the user needs the opportunity to
> verify URL, SSL status, etc).

Maybe we can make it a better user experience, for example, by allowing the
new window/tab to appear as a new pane at the top or bottom of the existing
tab. That would nicely handle your chat example, IMHO.

"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080930/082b886b/attachment-0001.htm>

More information about the whatwg mailing list