[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Ian Hickson]

On Mon, 29 Sep 2008, Maciej Stachowiak wrote:
> On Sep 28, 2008, at 3:32 AM, Robert O'Callahan wrote:
> > 
> > I'm suggesting just reusing the Access Controls spec for that.
> > 
> > So for example, the server could say: 
> > Same-Origin-Only-Unless-Access-Controls-Says-Otherwise: yes 
> > Access-Control-Allow-Origin: http://example.com
> 
> I think this is a really good proposal. It would allow Web sites to 
> place all content under a single uniform policy for access control, as 
> opposed to the state today where cross-site access depends on how the 
> resource is embedded.

I don't think this would really work for Google. Many widgets (e.g. the 
mapping widget) are expected to be placed on any site, but how could the 
widget provider know who is evil and who isn't? What about if an otherwise 
not evil site is compromised? (This happens regularly, especially with, 
e.g., sites with forum software or blog software.) We don't want a 
vulnerability in a widget host site to immediately allow this kind of 
attack on all the widgets that that site hosts.

Secondly, consider Google Image Search, or Reddit with its "open link with 
reddit toolbar" option, or any other site that allows arbitrary Web 
navigation in a frame or iframe while hosting some sort of toolbar content 
from its own page in another frame or container page. This option would 
mean that many sites would stop working with these containers, despite 
these containers not doing anything evil (there's no overlapping content, 
the user is fully aware of what's going on, etc).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'