[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Robert O'Callahan]

On Tue, Sep 30, 2008 at 10:33 PM, Michal Zalewski <lcamtuf at dione.cc> wrote:

> On Tue, 30 Sep 2008, Robert O'Callahan wrote:
>
>  If I understand correctly, with Michal's option 3, those sites would also
>> stop working as soon as the user scrolled down in the framed page (so that
>> the top-left of the framed page is out of view).
>>
>
> Nope, the restriction applies strictly to the top-left corner of the
> *container* getting scrolled of the screen - not that of the content
> displayed within that container. In all the cases outlined by Ian, the
> IFRAMEs stay on screen, it's just that the content gets scrolled.


I don't think that's secure. The outer page can set the IFRAME's URL to
contain a #xyz fragment identifier, scrolling the 'xyz' element into view
for any element with id 'xyz'; for many pages, this could allow the outer
page great flexibility in scrolling the framed content to a desired
position. That gives you the same visual effect as moving the top-left of
the container off the screen (especially if you add "scrolling=no" to the
IFRAME so scrollbars are suppressed), so it should be treated the same way.

I suppose you could handle that by disabling input to the IFRAME while its
URL has a fragment identifier. But that doesn't work because AJAXy pages
like to store state in the fragment identifier. So you need to disable input
to the IFRAME while its URL has a fragment identifier that was set by the
outer page. Ugh.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081001/47fb2a25/attachment-0001.htm>