This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
public-html-comments posting from: Philippe De Ryck <philippe.deryck@cs.kuleuven.be> http://www.w3.org/mid/1312266482.13091.1.camel@papyrus The following comment contains detailed information about an issue that was discovered during a recent security analysis of 13 next generation web standards, organized by ENISA (European Network and Information Security Agency), and performed by the DistriNet Research Group (K.U. Leuven, Belgium). The complete report is available at http://www.enisa.europa.eu/html5 (*), and contains information about the process, the discovered vulnerabilities and recommendations towards improving overall security in the studied specifications. Summary --------- Using a sandbox prevents navigation of the top-level browsing context (unless specifically allowed), which disables common clickjacking protection mechanisms. This is problematic if an attacker uses such a sandbox to frame the victim page. Based on: HTML5, 11 July 2011 Relevant Sections: 4.8.2. The iframe element Issue ------- In order to perform a clickjacking attack, an attacker can frame the victim page using a sandbox iframe. The security features of the sandbox prevent the victim page from navigating the top-level browsing context to its own URL, as commonly done in clickjacking protection mechanisms. This effectively disables the victim's page clickjacking protection. Recommended Solution ---------------------- Add the following warning to section 4.8.2 (the iframe element) of the specification: Unwanted sandboxing of legitimate content can disable javascript-based clickjacking protection mechanisms. To prevent such attacks, legitimate content should provde adequate clickjacking protection [1]. [1] Busting frame busting: a study of clickjacking vulnerabilities at popular sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (*) HTML version of the report is available as well: https://distrinet.cs.kuleuven.be/projects/HTML5-security/ -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
mass-move component to LC1
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: no new spec change Rationale: http://lists.w3.org/Archives/Public/public-html-comments/2011Aug/0011.html