Hi Robin,
>>For instance consider a createElement(name, parent, content) method; you
>>could obtain
>>"script" and "alert('I am evil!')" using the same trick, and call
>>createElement("script", document.body, "alert('I am evil!')") - it would work
>>just
>>the same as eval().
Yes, it seems the architecture is simply vulnerable per current design (e.g. in
ECMA allowing non-strict eval etc.) and we cannot do too much.
>>Right, it's one of those things that people would've done differently if we'd
>>had a
>>chance to think about the consequences while the web was being organically
>>grown, but
>>that's water under the bridge now.
Keeping the context of having a chance: what about event naming in [1]?
Thanks,
Marcin
[1] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0795.html
Marcin Hanclik
ACCESS Systems Germany GmbH
Tel: +49-208-8290-6452 | Fax: +49-208-8290-6465
Mobile: +49-163-8290-646
E-Mail: marcin.hanc...@access-company.com
-----Original Message-----
From: Robin Berjon [mailto:ro...@berjon.com]
Sent: Thursday, November 19, 2009 11:15 AM
To: Marcin Hanclik
Cc: WebApps WG
Subject: Re: [WARP] Comments to WARP spec
Hi Marcin,
On Nov 19, 2009, at 09:44 , Marcin Hanclik wrote:
> Great thanks for the descriptive example!
A pleasure :)
> The security issue in your example results from the eval that is contained in
> the html within a widget. So we could assume that if the widget is signed we
> could somehow rely on its content. Then the evil eval would maybe not be used
> (at least not in the context you quote).
Perhaps, but the example I used was very straightforward and easy to review -
it would be possible for the original HTML to be a trojan with a less obvious
attack path.
For instance consider a createElement(name, parent, content) method; you could
obtain "script" and "alert('I am evil!')" using the same trick, and call
createElement("script", document.body, "alert('I am evil!')") - it would work
just the same as eval().
> However, since some images can also be executed, the distinction is de-facto
> void.
Right, it's one of those things that people would've done differently if we'd
had a chance to think about the consequences while the web was being
organically grown, but that's water under the bridge now.
--
Robin Berjon - http://berjon.com/
________________________________________
Access Systems Germany GmbH
Essener Strasse 5 | D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda
www.access-company.com
CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is
privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or
distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by
responding to this e-mail. Thank you.
