Hi Robin, Great thanks for the descriptive example!
At first I thought that it all depends on the trust model. The security issue in your example results from the eval that is contained in the html within a widget. So we could assume that if the widget is signed we could somehow rely on its content. Then the evil eval would maybe not be used (at least not in the context you quote). So we could have the simple distinction between executable content (js, html) and non-executable content (img, css [until scripts come there] ). However, since some images can also be executed, the distinction is de-facto void. Therefore it seems the use case is not doable, because we probably do not want to overload the implementations with [SNIFF] algorithms. Thanks, Marcin Marcin Hanclik ACCESS Systems Germany GmbH Tel: +49-208-8290-6452 | Fax: +49-208-8290-6465 Mobile: +49-163-8290-646 E-Mail: marcin.hanc...@access-company.com -----Original Message----- From: Robin Berjon [mailto:ro...@berjon.com] Sent: Wednesday, November 18, 2009 6:37 PM To: Marcin Hanclik Cc: WebApps WG Subject: Re: [WARP] Comments to WARP spec Hi Marcin, On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote: >>> One could request an >>> image that is redirected to >>> http://address/of/image?put+a+complete+script+here >>> and then evaluate the query. > Ok, but then it will still be processed as image and will result in an > invalid image, I think. Not so. Consider the following piece of Perl: #!/usr/bin/perl print "Location: img.png?alert('I am evil!')\n\n"; And the following HTML: <!DOCTYPE html> <iframe src='img.pl' id='pl'></iframe> <script> window.onload = function () { eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1))); } </script> This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine. -- Robin Berjon - http://berjon.com/ ________________________________________ Access Systems Germany GmbH Essener Strasse 5 | D-46047 Oberhausen HRB 13548 Amtsgericht Duisburg Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda www.access-company.com CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
