13587 2011-08-03 05:53:50 +0000 registerProtocolHandler() et al: Potential scheme/content handlers security issues 2011-10-20 09:06:36 +0000 1 1 1 Unclassified HTML WG LC1 HTML5 spec unspecified Other All RESOLVED FIXED http://www.w3.org/mid/1312266581.13091.3.camel@papyrus P3 normal --- 1 mike+html-wg-mailbot ian ian mike philippe.deryck public-html-admin public-html-wg-issue-tracking public-html-bugzilla oldest_to_newest 52103 0 mike+html-wg-mailbot 2011-08-03 05:53:50 +0000 public-html-comments posting from: Philippe De Ryck <philippe.deryck@cs.kuleuven.be> http://www.w3.org/mid/1312266581.13091.3.camel@papyrus The following comment contains detailed information about an issue that was discovered during a recent security analysis of 13 next generation web standards, organized by ENISA (European Network and Information Security Agency), and performed by the DistriNet Research Group (K.U. Leuven, Belgium). The complete report is available at http://www.enisa.europa.eu/html5 (*), and contains information about the process, the discovered vulnerabilities and recommendations towards improving overall security in the studied specifications. Summary --------- The specification of custom scheme/content handlers does not really deal with potential security issues nor does it provide adequate protection towards users. Based on: HTML5, 11 July 2011 Relevant Sections: 6.5.1.2. Custom Scheme and Content Handlers Issue ------- The security implications of the use of custom scheme/content handlers are unclear and underdocumented. The specification does list a number of concerns, but most of them simply describe the concern and delegate fixing the issue to the user agent. Additionally, several issues lack the necessary level of depth (for example, it is unclear why secure URLs should not be sent to a third-party handler, since unprotected HTTPS URLs are publicly accessible anyway). Additionally, no awareness indicators are required, which can be unintuitive towards users. This becomes especially relevant for handlers that were registered a long time ago, and since forgotten about. Recommended Solution ---------------------- Investigate the potential security consequences and formulate concrete ways to address them. Including these in the specification will lead to a uniform and secure implementation by browser vendors. (*) HTML version of the report is available as well: https://distrinet.cs.kuleuven.be/projects/HTML5-security/ -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm 54082 1 mike 2011-08-04 05:35:53 +0000 mass-move component to LC1 55817 2 ian 2011-08-25 22:33:41 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: see diff given below Rationale: The security model for this API is now same-origin only for the handler; schemes are whitelisted, and content-types are blacklisted. Please do not hesitate to file bugs if you can think of specific vulnerabilities this does not cover. 55818 3 ian 2011-08-25 22:34:31 +0000 Diff: http://html5.org/tools/web-apps-tracker?from=6522&to=6524