[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Ian Hickson ian at hixie.ch
Tue Sep 30 03:16:37 PDT 2008 

On Tue, 30 Sep 2008, Robert O'Callahan wrote:
> >
> > I don't think this would really work for Google. Many widgets (e.g. 
> > the mapping widget) are expected to be placed on any site, but how 
> > could the widget provider know who is evil and who isn't? What about 
> > if an otherwise not evil site is compromised? (This happens regularly, 
> > especially with, e.g., sites with forum software or blog software.) We 
> > don't want a vulnerability in a widget host site to immediately allow 
> > this kind of attack on all the widgets that that site hosts.
> 
> Choose your friends carefully.

I'm not sure how that helps here. Are you saying widget providers 
shouldn't do business with site owners who use popular blogging tools?


> But really, why does this mapping widget need to expose UI that can be 
> abused to do evil things with my Google account?

In the case of the mapping widget it doesn't, but consider a chat widget, 
that enables users to chat with the site owner. If this widget had a 
button that sent a message, a hostile site could perform a DDOS attack on 
the site owner by embedding the widget host itself in an iframe, and 
aligning everything such that all the users tricked into going to that 
page and logged in to the chat widget would cause the victim site owner to 
get messaged, potentially resulting in thousands of such messages.

This isn't really that hypothetical, either. Such chat widgets are 
starting to appear.

I think we need to consider that such widgets will become common and could 
easily be vulnerable to this kind of thing, and should be protected.


> > Secondly, consider Google Image Search, or Reddit with its "open link 
> > with reddit toolbar" option, or any other site that allows arbitrary 
> > Web navigation in a frame or iframe while hosting some sort of toolbar 
> > content from its own page in another frame or container page. This 
> > option would mean that many sites would stop working with these 
> > containers, despite these containers not doing anything evil (there's 
> > no overlapping content, the user is fully aware of what's going on, 
> > etc).
> 
> If I understand correctly, with Michal's option 3, those sites would 
> also stop working as soon as the user scrolled down in the framed page 
> (so that the top-left of the framed page is out of view).

Any solution that breaks those sites is a non-starter IMHO.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list