[whatwg] updateWithSanitizedHTML (was Re: innerStaticHTML)

Kornel Lesiński kornel at geekhood.net
Tue Dec 1 08:03:47 PST 2009

>> And even whitelist for CSS properties couldn't be used to implement  
>> "No
>> external access" policy (allow images with data: urls, allow http:  
>> links,
>> but not http: images). This would be useful for webmails and other  
>> places
>> where website doesn't want to allow 3rd parties tracking views.
> I don't think an no external access policy is worth supporting
> explicitly.  If it falls out of a general design, that's great, but I
> don't think the use case is compelling enough to accept the design
> constraints required to support it.

I think it is quite important for privacy. Otherwise "web bugs" can be  
placed and used to track every use of content in every mashup.

Most often I'd like formatted text in applications to be just text,  
_completely_ passive.

>> "No clickjacking" option might be useful as well.
> I don't have a clear idea how this would work.  Did you have something
> different in mind than X-Frame-Options (already supported by WebKit)?

On a second thought clickjacking is probably not the right term for  
what I have in mind, although it's a similar issue.

The problem is that content added in DOM could use styles to overlay  
web application's "chrome" and steal data with forms or redirect  
standard links/buttons to phising site, e.g. <form action=evil  
style="position:fixed; top:0; right:0"> that's positioned on top of  
website's standard login form.

Position:fixed escapes elements with  
"position:relative;overflow:hidden", so AFAIK this cannot be prevented  
without removal of all position:fixed styles from untrusted content.

Such hack has been used on auction site allegro.pl, where auctions'  
descriptions are allowed to use CSS. In that particular case content  
should have been filtered server-side, but I imagine webmails, web- 
based feed readers and all kinds of mashups dynamically loading  
untrusted content could face similar problems, and having <iframe> for  
every bit of content is sometimes problematic.

regards, Kornel

More information about the whatwg mailing list