Hello!
Le Sat, 27 May 2006 19:58:28 +0300, Alexey Feldgendler
<[EMAIL PROTECTED]> a écrit:
Some more thoughts on security of scripted documents.
Though sandboxing, as discussed earlier on this mailing list [1], would
be a powerful tool to ensure security of scripted documents, it's
overkill in many situations. Analyzing typical vulnerabilities found in
web applications, I have found that many of them are caused by the
possibility to trick the user agent into execution of a malicious
script. This is often achieved by including scripts in unusual places in
user-supplied code, such as the following text in a blog comment:
<span style="color:expression(...steal cookies...)">LOL!</span>
If the HTML cleaner fails to strip this, too bad. Sometimes, it's more
complex than that, but the idea is the same: put a script in some
unexpected place. (Another example:
style="background:url(javascript:...)".)
Sandboxes would, of course, deal with this, but there is a much simpler
measure targeted specifically at such exploits.
Yes, sandboxes are somehow overkill, like "did the web reach this level
already?". That's something along the line: "do authors really need such
advanced capabilities?".
Thinking of sandboxing is like viruses are already running in the wild.
However, it's better to think forward and take caution.
I propose to define the notion of "side effect free script". All
browsers which allow scripts in declarations like CSS should only allow
side effect free scripts in such places.
[...]
9. Optionally, execution time limit may be imposed on the thread, so
that it doesn't make the document unrenderable by running an endless
loop inside CSS expression().
Of course. I like Gecko and Konqueror got the execution time limit. It's
something important, since authors can create malicious pages which bring
down the entire browser.
The above is very raw thoughts. I'd like to hear some feedback on the
idea itself.
Interesting thoughts, but I don't know why I don't find myself
enthusiastic about the "side-effect free script" notion you've detailed.
Maybe something better is still needed.
--
http://www.robodesign.ro
ROBO Design - We bring you the future
