Hi Marcin,
On Nov 19, 2009, at 09:44 , Marcin Hanclik wrote:
> Great thanks for the descriptive example!
A pleasure :)
> The security issue in your example results from the eval that is contained in
> the html within a widget. So we could assume that if the widget is signed we
> could somehow rely on its content. Then the evil eval would maybe not be used
> (at least not in the context you quote).
Perhaps, but the example I used was very straightforward and easy to review —
it would be possible for the original HTML to be a trojan with a less obvious
attack path.
For instance consider a createElement(name, parent, content) method; you could
obtain "script" and "alert('I am evil!')" using the same trick, and call
createElement("script", document.body, "alert('I am evil!')") — it would work
just the same as eval().
> However, since some images can also be executed, the distinction is de-facto
> void.
Right, it's one of those things that people would've done differently if we'd
had a chance to think about the consequences while the web was being
organically grown, but that's water under the bridge now.
--
Robin Berjon - http://berjon.com/