I was chatting with Tobie about exposing computed styles in DOMita. I think this is related to Prototype's Element.getStyle ( http://www.prototypejs.org/api/element/getStyle ). Tobie, can you confirm?
When discussing DOMado taming rules, we decided to disallow access and I want to try and write down my recollections of that discussion. We were basing our taming decisions of several questions: (1) Does allowing a feature make it difficult for a coder to reason about what authority they are granting when passing a reference outside their code? (2) Does allowing a feature effectively cause a reference to the object to grant access to an unbounded set of authority? (E.g. Node.getParentNode effectively granting access to the entire DOM from any node.) (3) If (1) or (2) hold, can the excess authority be effectively mitigated by a simple change in API or semantics? (E.g. changing getElementById to return a subset of nodes that have an id suffix? We identified one known attack based on computed style. http://www.cybersecurity.org.uk/articles/history_profiling.htm documents this attack: The core of this profiling is based on the ability to access the computed style or current style of an element. It should also be remembered that the links had to be supplied, so this could be done with a huge number of domains, and brute forcing the profiling. The larger problem is that this violates (1). Since the computed style grants the ability to infer information about containing nodes, it is hard to reason about the authority inherent in a node object. In <p>Hello <b>there</b> </p> Having access to the bold tag, in the presence of computed style, gives access to the font-size, color, background of the containing element unless those are overridden in the bold tag because of the cascading nature of CSS rules. These examples may sound trivial, but this leakage of information makes it hard to reason about, and there are many inherited properties. Then, can it be mitigated per (3)? The surface area of the style node is huge -- probably larger than the rest of the DOM API. We do have a schema client side for CSS that can allow us to pick and choose the bits we allow in computed style, but on what do we base those decisions? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to http://groups.google.com/group/google-caja-discuss To unsubscribe, email [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
