David Hyatt wrote:
>
> The obvious drawback of (3) below is that remote XUL couldn't use the
> current installed skin.
> > 1) Forbid use of the CSSOM on stylesheets more privileged than you are.
> > 2) Give rules added to stylesheets by CSSOM the security principal of
> > the script adding them.
> > 3) Forbid linkage to CSS files more privileged than yourself, except as
> > done implicitly by mozilla (to html.css for example).
I'm definitely thinking that #1 is the way to go. Considering that it's
not possible to access the DOM of pages that aren't from the same *host*
as you (which is far more restrictive than just "are more priviliged
than you")... I can't think of any reason why pages should be allowed to
access or modify privileged stylesheets.
Given this, there's *still* a potential exploit if an attacker knows
that a certain chrome CSS file will bind a trusted file-access binding
to a certain element - he just has to apply that CSS file to a remote
XUL document of his choice.
I think the only secure way to do this is to somehow know whether the
CSS file was associated to the document implicitly by mozilla or by the
page author. Bindings in html.css are only secure because of the
combination of *three* factors:
1) html.css is trusted
2) The XBL file that it binds to is trusted
3) The association of html.css to the untrusted html file is done by a
trusted entity - ie mozilla.
(#2 here is actually unnecessary given #1 and #3, because it's okay to
"trust" the css file not to attach untrusted XBL so long as we know that
attackers can't abuse that css file. Also note that the "trusted entity"
in #3 might not have to be mozilla - it could be by manipulation of the
CSSOM by a trusted script, for example, although we don't have to
support this feature right away...)
I don't know how html.css becomes associated with html files, so
somebody more knowledgeable than me will have to explain this one. Is it
done by getting Mozilla to modify the CSSOM as soon as the document
starts loading, or is there something that makes html.css link in before
the CSSOM is even created? Is there a useful way to distinguish this
"implicit" css file with other ones added by the page author? Are there
any other such "implicit" css files?
Stuart.
PS The more I think about this the more I understand why it's such a
complex issue. I originally thought that "my approach" was clearly and
obviously better; my eyes have been well and truly opened to how
complicated it really is...
