On 09.07.2014 01:41, Ehsan Akhgari wrote: > On 2014-07-08, 6:34 PM, L. David Baron wrote: >> On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote: >>> That seems pretty bad. I think we should at least stop supporting >>> it for Web content. David, what do you think? >> >> I'm ok with restricting it to UA and user style sheets, although if >> we're going to do that because of security risks I'd like to get a >> good understanding of what those are and of what we do and don't >> expect authors to do when sanitizing CSS from untrusted sources to >> include in their Web content. >> >> I think it might make more sense to continue discussion in the bug. > > Sounds great!
Agreed! > >> (I also think sending this out in the format of an >> intent-to-implement message was confusing for an initial proposal to >> do something that hadn't yet been discussed with any owners or peers >> of the module. I think the format is intended to say that a change >> has already been accepted by owners/peers but requires wider >> review.) > > Yes indeed. Admittedly I was a bit confused. I'm sorry, I thought the emails about this were to start the general discussion. I really did not intend to imply peer acceptance - in fact I meant to ask for it. > >>>> Summary: >>>> >>>> Attackers can extract secret URL components (e.g. session IDs, oauth >>>> tokens) using @-moz-document. Using the regexp support and assuming a >>>> CSS injection (no XSS needed!), the attacker can probe the current URL >>>> with some regular expressions and send the URL parameters to a third >>>> party. >>>> >>>> A demo of this exploit can be found at >>>> <http://html5sec.org/cssession/>. >>>> This attack has also been published in the academic paper "Scriptless >>>> Attacks: Stealing the pie without touching the sill"[1] by Mario >>>> Heiderich et al. and numerous other presentations on this topic [2,3]. >>>> >>>> My suggestion is to either kill -moz-document for public web content or >>>> remove regexp support. >>>> >>>> >>>> What do you think? >>>> >>>> >>>> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1035091 >>>> Spec: n/a. This was pushed out of CSS3 and did not make it to CSS4 >>>> selectors. >>>> MDN: https://developer.mozilla.org/en-US/docs/Web/CSS/@document >>>> Target release: ?? >>>> Platform coverage: desktop, android >>>> >>>> >>>> >>>> >>>> [1] http://www.nds.rub.de/research/publications/scriptless-attacks/ >>>> [2] http://www.slideshare.net/x00mario/stealing-the-pie >>>> [3] https://speakerdeck.com/mikewest/xss-no-the-other-s-cssconf-eu-2013 >>>> _______________________________________________ >>>> dev-platform mailing list >>>> dev-platform@lists.mozilla.org >>>> https://lists.mozilla.org/listinfo/dev-platform >>>> >> > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform