[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Giorgio Maone
g.maone at informaction.com
Wed Feb 18 04:07:48 PST 2009
Ian Hickson wrote, On 18/02/2009 12.43:
>> 3) Add an on-by-default mechanism that prevents UI actions to be taken
>> when a document tries to obstruct portions of a non-same-origin frame.
>> By carefully designing the mechanism, we can prevent legitimate uses
>> (such as dynamic menus that overlap with advertisements, gadgets, etc)
>> from being affected, yet achieve a high reliability in stopping
>> attacks.
>>
>
> This seems difficult to get right in practice, and browser vendors seem
> reluctant to go down this road.
Incidentally, NoScript's ClearClick is a working implementation of this
"difficult" approach, effective also with same-origin plugin content
(like in the original Clickjacking PoC by RSnake & Grossman).
http://noscript.net/faq#clearclick
-- G
Ian Hickson wrote, On 18/02/2009 12.43:
> On Thu, 25 Sep 2008, Michal Zalewski wrote:
>
>> Problem definition: a malicious page in domain A may create an IFRAME
>> pointing to an application in domain B, to which the user is currently
>> authenticated with cookies. The top-level page may then cover portions
>> of the IFRAME with other visual elements to seamlessly hide everything
>> but a single UI button in domain B, such as "delete all items", "click
>> to add Bob as a friend", etc. It may then provide own, misleading UI
>> that implies that the button serves a different purpose and is a part of
>> site A, inviting the user to click it. Although the examples above are
>> naive, this is clearly a problem for a good number of modern, complex
>> web applications.
>>
>> Proposed fixes:
>>
>> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
>> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
>> page to inhibit frame rendering in potentially dangerous situations.
>>
>> Pros:
>>
>> - Super-simple
>>
>> Cons:
>>
>> - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
>> action is taken
>>
>> - Can't be used for cases where IFRAME content mixing has a legitimate
>> purpose (for example, cross-domain gadgets, certain types of mashups)
>>
>
> In particular, this breaks Image Search tools from various vendors as well
> as navigation aids like the Reddit toolbar.
>
>
>> - Adds yet another security measure (along with cross-domain XHR, MSIE8
>> XSS filters, MSIE P3P cookie behavior, Mozilla security policies)
>> that needs to be employed correctly everywhere to work - which is
>> very unlikely to consistently happen in practice
>>
>> - Along with the aforementioned security features, threatens to
>> result in HTTP header or HTML HTTP-EQUIV size bloat that some sites
>> may care about.
>>
>
> This solution is what IE8 has apparently chosen to use.
>
> Specifically, IE8 will recognise an HTTP header or <meta> pragma directive
> with the name "X-Frame-Options", and will process it as follows:
>
> If the value is a case-insensitive match for "deny" and the browsing
> context being navigated is not a top-level browsing context, replace
> the document with a UA-defined error message.
>
> If the value is a case-insensitive match for "sameorigin" and the
> browsing context being navigated is not a top-level browsing context
> and the origin of the top-level browsing context is not the same as the
> origin of the document in question, replace the document with a
> UA-defined error message.
>
> (The "sameorigin" rule seems like it should check all ancestor browsing
> contexts, not just the top-level one, because otherwise a site X, e.g.
> images.google.com, showing a frame with a document on site Y, e.g.
> hostile.example.com -- which might happen e.g. on something like Google
> Image Search -- would be able to embed another page from site X, e.g. your
> image search preferences, and do clickjacking on it.)
>
> This feature could also be extended to apply to other resources, e.g.
> scripts, images, style sheets, fonts, to prevent them from being used
> cross-origin. This would help, e.g., with securing scripts that contain
> private data.
>
>
>
>> 2) Add a document-level mechanism to make "if nested <show this> else
>> <show that>" conditionals possible without Javascript. One proposal is
>> to do this on the level of CSS (by using either the media-dependency
>> features of CSS or special classes); another is to introduce new HTML
>> tags. This would make it possible for pages to defend themselves even
>> in environments where Javascript is disabled or limited.
>>
>
> This is an interesting idea, though it would be subsumed by Hallvord's
> suggestion with Origin given below, in conjunction with idea 1 above in
> the absence of Origin information.
>
>
>
>> 3) Add an on-by-default mechanism that prevents UI actions to be taken
>> when a document tries to obstruct portions of a non-same-origin frame.
>> By carefully designing the mechanism, we can prevent legitimate uses
>> (such as dynamic menus that overlap with advertisements, gadgets, etc)
>> from being affected, yet achieve a high reliability in stopping
>> attacks.
>>
>
> This seems difficult to get right in practice, and browser vendors seem
> reluctant to go down this road.
>
>
>
>> 4) Enforce a click-to-work mechanism (resembling the Eolas patent
>> workaround) for all cross-domain IFRAMEs.
>>
>
> Experience with the Eolas patent workaround suggests this wouldn't be
> popular, to put in mildly.
>
>
>
>> 5) Rework everything we know about HTML / browser security models to
>> make it possible for domains and pages to specify very specific opt-in
>> / opt-out policies for all types of linking, referencing, such that
>> countering UI redress attacks would be just one of the cases controlled
>> by this mechanism.
>>
>
> This seems like it would still basically need one of the other mechanisms
> as well. Without a more concrete proposal here it's hard to tell what
> exactly this would be.
>
>
> On Thu, 25 Sep 2008, Collin Jackson wrote:
>
>> 6) New cookie attribute: The "httpOnly" cookie flag allows sites to put
>> restrictions on how a cookie can be accessed. We could allow a new flag
>> to be specified in the Set-Cookie header that is designed to prevent
>> CSRF and "UI redress" attacks. If a cookie is set with a "sameOrigin"
>> flag, we could prevent that cookie from being sent on HTTP requests that
>> are initiated by other origins, or were made by frames with ancestors of
>> other origins. In a CSRF or "UI redress" attack scenario, it will appear
>> as though the user is not logged in, and thus the HTTP request will be
>> unable to affect the user's account.
>>
>
> This is an interesting idea, though it only works for Cookie-
> authenticated content (admittedly that is most content). I recommend
> suggesting this to the group currently speccing httpOnly. It seems out of
> scope for HTML5.
>
>
>
>> 7) New HTTP request header: Browser vendors seem to be moving away
>> from "same origin restrictions" towards "verifiable origin labels"
>> that let the site decide whether two security origins trust each
>> other. Recent examples of this are MessageEvent's "origin" property
>> [1], postMessage's "targetOrigin" argument [2], and the HTTP "Origin"
>> header [3] [4] [5]. We can adjust proposal (1) to conform to this
>> philosophy: instead of making it an
>> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" HTTP response
>> header, make it an "X-Ancestor-Frame-Origin: http://www.evil.com" HTTP
>> request header. This header could be a list of all the origins that
>> are ancestors of the frame that triggered the request. If the site
>> decides it does not like the ancestor frame origin it could reject the
>> request. This could be added as a property of MessageEvent as well to
>> detect client-side-only UI redress attacks.
>>
>
> This could be considered an extension to suggestion 1.
>
>
> On Mon, 29 Sep 2008, Hallvord R M Steen wrote:
>
>> Sites may want to use any of several policies in a "somebody framed me"
>> situation. For example, these are all policies a site may want to
>> deploy:
>>
>> 1. nobody may frame my content
>> 2. selected sites only may frame my content
>> 3. anyone may frame my content but not re-use an existing session
>> 4. anyone may frame my content
>>
>
> Also noted in other e-mails was:
>
> 5. anyone may frame my content, but I want my UI not to get clobbered
>
>
>
>> Giving the site an "Origin: http://www.example.com" HTTP header in the
>> intial request lets the backend implement any of these policies.
>>
>
> (Except 5.)
>
>
>
>> Instead of responding with a payload that always includes some variant
>> of the proposed "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes"
>> header, the site can send or redirect to a framebreaking "embedding
>> forbidden" page for policy #1. It can do so selectively based on origin
>> site and/or requested content for policy #2. It can kill existing
>> cookies, void session and set new origin-specific cookies for policy
>> #3.)
>>
>
> This is a good point. Maybe Adam's Origin draft can help with this? Adam?
>
> This wouldn't reduce the need for the other proposals, though, so that we
> had defense in depth (e.g. for the cases where Origin was stripped, or for
> servers that don't want to do dynamic work like this).
>
>
> On Mon, 29 Sep 2008, Michal Zalewski wrote:
>
>> It still completely ignores the question of how we protect gadgets /
>> mashups / whatever that are *designed* to be embedded on potentially
>> untrusted sites, but depend on having the integrity of their UIs
>> preserved, so I think we need - or well, should - tackle this aspect
>> separately if this is the consensus for now.
>>
>
> I have unfortunately not seen any workable solutions suggested for how to
> solve this, and have no ideas myself.
>
>
> [snip a very long thread -- I did read every e-mail on this thread, and
> these e-mails informed my comments in this e-mail]
>
>
> It seems like the most obvious course of action is to embrace Microsoft's
> X-Frame-Options header, and consider extensions to make it apply to all
> content and/or to make it support CORS headers also in the future.
>
> I would be interested in feedback from browser vendors about the
> feasibility of such an approach.
>
> Is this something we should add to HTML5?
>
> I am interested also in suggestions on how to handle the <meta http-equiv>
> pragma case, where the header can come megabytes into the file. Is it
> acceptable to replace the document in-place once the pragma is seen and
> found to deny embedding?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090218/83f0f24e/attachment-0001.htm>
More information about the whatwg
mailing list