[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
ian at hixie.ch
Tue Sep 30 03:16:37 PDT 2008
On Tue, 30 Sep 2008, Robert O'Callahan wrote:
> > I don't think this would really work for Google. Many widgets (e.g.
> > the mapping widget) are expected to be placed on any site, but how
> > could the widget provider know who is evil and who isn't? What about
> > if an otherwise not evil site is compromised? (This happens regularly,
> > especially with, e.g., sites with forum software or blog software.) We
> > don't want a vulnerability in a widget host site to immediately allow
> > this kind of attack on all the widgets that that site hosts.
> Choose your friends carefully.
I'm not sure how that helps here. Are you saying widget providers
shouldn't do business with site owners who use popular blogging tools?
> But really, why does this mapping widget need to expose UI that can be
> abused to do evil things with my Google account?
In the case of the mapping widget it doesn't, but consider a chat widget,
that enables users to chat with the site owner. If this widget had a
button that sent a message, a hostile site could perform a DDOS attack on
the site owner by embedding the widget host itself in an iframe, and
aligning everything such that all the users tricked into going to that
page and logged in to the chat widget would cause the victim site owner to
get messaged, potentially resulting in thousands of such messages.
This isn't really that hypothetical, either. Such chat widgets are
starting to appear.
I think we need to consider that such widgets will become common and could
easily be vulnerable to this kind of thing, and should be protected.
> > Secondly, consider Google Image Search, or Reddit with its "open link
> > with reddit toolbar" option, or any other site that allows arbitrary
> > Web navigation in a frame or iframe while hosting some sort of toolbar
> > content from its own page in another frame or container page. This
> > option would mean that many sites would stop working with these
> > containers, despite these containers not doing anything evil (there's
> > no overlapping content, the user is fully aware of what's going on,
> > etc).
> If I understand correctly, with Michal's option 3, those sites would
> also stop working as soon as the user scrolled down in the framed page
> (so that the top-left of the framed page is out of view).
Any solution that breaks those sites is a non-starter IMHO.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg