[whatwg] Revising the content handling logic of <object> and <embed>

[Ian Hickson]

On Mon, 7 Mar 2011, Michal Zalewski wrote:
> 
> <object data="http://somewhere_funny/" type="application/x-shockwave-flash">
> <param name="allowScriptAccess" value="never">
> <param name="allowNetworking" value="never">
> <param name="allowFullScreen" value="never">
> </object>
> 
> Unfortunately, there is the "almost" part: in some originally 
> undocumented cases, browsers permit the attacker to override explicit 
> type= based on URL file extensions, content sniffing, or Content-Type. 
> This makes the aforementioned popular use case dangerous, because any 
> site that wishes to embed a security-restricted Flash movie may end up 
> embedding a Java applet instead, and Java has unconditional access to 
> the DOM of the embedding page via DOMService.

Yes. Do not embed content you do not trust. It's the same problem as 
embedding remote scripts with <script>.

 
> HTML5 spec makes an attempt to explicitly sanction the current behavior, 
> where neither the embedding nor the hosting party have control over how 
> the content will be displayed, in the specification for the <object> 
> element. Given the aforementioned situation, I think this is harmful and 
> needs to be revised.

Not much we can do to change it by default, it's required for Web 
compatibility.


> In my opinion, the preferred outcome would be to make type= 
> authoritative when specified, or provide an alternative way of ensuring 
> specific routing of the retrieved content on markup level. In addition, 
> to resolve existing problems with non-plugin content being interpreted 
> as plugin data (e.g. 
> http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/), it would also 
> be prudent to provide servers a way to demand rendering only if 
> Content-Type provided by the server, and type= in the markup, match.

We can't allow the author to always control the type, because of the 
reverse problem: the embedding author might be an attacker who has managed 
to get a text file onto the remote (victim) server, which would, if 
interpreted as HTML, be an XSS attack.


On Mon, 7 Mar 2011, Boris Zbarsky wrote:
> 
> For what it's worth, I would be _very_ much in favor of having a way for 
> markup to specify "render this <object> only if the Content-Type matches 
> this type" (e.g. a boolean "forceStrictTypeMatch" attribute or 
> whatever).

I've added a "typemustmatch" attribute that does this. Feedback welcome.

Because using this attribute without testing will cause sites to break 
when it is implemented, I both encourage user agent vendors to implement 
it quickly, and urge everyone else to not speak of it loudly until 
browsers have shipped with support for this attribute.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'