On Thu, 25 Sep 2008, Maciej Stachowiak wrote:
C) Treat a case where top-left corner of the IFRAME is drawn out of
a visible area (CSS negative margins, etc) as a special case of
being obstructed by the owner of a current rendering rectangle
(another IFRAME or window.top) and carry out the same comparison.
Isn't this likely to come up any time you have a scrollable iframe, or one
with overflow: hidden? And why top left but not bottom right?
I meant, corner of the container, rather than actual document rendered
within. If deals strictly with the frame beginning outside the current
viewport to hide some of its contents, but leave small portions of the UI
exposed to misdirected clicks. Doing the same check for bottom right is
very much possible, although does not seem to thwart any particularly
plausible attacks.
- Seems complicated to implement correctly.
It is relatively complex, as acknowledged. The whole reason for this
complexity is that we hoped to devise a solution that:
a) Works by default, without the need to implement specific server-side
mechanisms (all things aside, placing the burden on server side is
counterintuitive and likely to make these problems persist forever,
even more so than XSS and XSRF),
b) Does not break any plausible usage scenarios we could think of (with
a particular attention to IFRAMEd non-same-origin document views,
ads, gadgets).
I would love to see better solutions along these lines to arise on this
forum; failing this, we may resort to a solution that requires sites to
opt in en masse for a particular mechanism, or to give up defenses to
permit certain types of applications to be built - but I see this as
suboptimal.
- Seems very difficult to validate correctness of the security policy.
This one I'm not sure I follow; very few browser security mechanisms are
provable, and even the ones that are, usually do not get proven. It is
relatively easy to intuitively break down and analyze the attack surface
here, however.
- Likely to break user experience of some existing sites.
Any particular examples?
Cheers,
/mz
