[whatwg] some thoughts on sandboxed IFRAMEs

Adam Barth whatwg at adambarth.com
Sun Jan 24 22:29:42 PST 2010

On Sun, Jan 24, 2010 at 8:09 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> On Sun, Jan 24, 2010 at 6:19 AM, Adam Barth <whatwg at adambarth.com> wrote:
>> In general, stopping malicious content from exfiltrating data isn't
>> practical.  For example, even including a single hyperlink is often
>> sufficient to exfiltrate a large amount of data.  In user agents that
>> prefetch DNS, the user doesn't even need to click on the link.
> DNS prefetching doesn't tell you anything except that someone viewed
> the link, right?  And maybe what their ISP is, in a typical case.
> Including an image tells you their IP address, User-Agent, and so on.

That depends what information the attacker encodes in the host name.
Recall that we're imaging the attacker gets to run JavaScript within
the sandbox, so, for example, the attacker can read the user agent and
encode that in the host name.

> How can you get any data out of a link with no DNS prefetching?  Some
> users will click the link, but not all.  Maybe quite a lot if you
> allow arbitrary CSS, of course . . . you could easily make the whole
> post a link.  But "everyone who clicks on a given post for some
> reason" is still a lot less than "all viewers", which is what image
> inclusions will do.

Well, given that the attacker can use CSS, the attacker can make the
hyperlink fill the entre content area (or at least the area occupied
by the iframe).  The attacker can also use the :hover selector to make
interesting things happen when the user mouses over the link.

The point is that stopping exfiltration is a losing battle that we
shouldn't bother to play.


More information about the whatwg mailing list