/irc-logs / w3c / #webapps / 2008-11-14 / end

Options:

  1. # Session Start: Fri Nov 14 00:00:00 2008
  2. # Session Ident: #webapps
  3. # [00:03] <adrianba> he said he was going to be travelling for a few weeks - back toward the end of november
  4. # [00:05] * Quits: Lachy_ (Lachlan@24.234.142.17) (Ping timeout)
  5. # [00:11] <smaug> Hixie: so about <eventsource>
  6. # [00:11] <smaug> someone may inject that to a page
  7. # [00:11] <smaug> and then it connects to anyway
  8. # [00:12] <smaug> "anywhere" may be some evil server with support for AC
  9. # [00:12] <Hixie> hm?
  10. # [00:13] <smaug> I hadn't noticed that support for AC was added there at some point
  11. # [00:13] <smaug> (still haven't found out any good way to search changes in html 5)
  12. # [00:14] <smaug> Hixie: and then the evil server may dispatch events to the content
  13. # [00:14] <smaug> which are handled by the event listeners...
  14. # [00:16] <smaug> <smaug> and then it connects to anywhere
  15. # [00:16] <smaug> <smaug> "anywhere" may be some evil server with support for AC
  16. # [00:16] * smaug should learn to type, and even in English :p
  17. # [00:16] <Hixie> i really have no idea what you're asking :-)
  18. # [00:17] <Hixie> can you try again with antecedants for all your "it"s and "that"s and full sentences? :-)
  19. # [00:17] <smaug> bah
  20. # [00:18] <smaug> Hixie: so some site accepts user generated content. So probably not scripts, but elements
  21. # [00:18] <Hixie> ok
  22. # [00:19] <smaug> and user adds <eventsource src="someevilsite_with_access_control">
  23. # [00:19] <Hixie> and the site filters it, because <eventsource> isn't in their whitelist
  24. # [00:19] <smaug> are you sure sites do that
  25. # [00:19] <smaug> whitelisting
  26. # [00:19] <Hixie> they better, using a blacklist with html is the quickest way to get xss'ed
  27. # [00:20] <Hixie> but let's assume they do have this gaping hole and use a blacklist, and so <eventsource> goes through
  28. # [00:20] <Hixie> continue with the attack description
  29. # [00:20] <smaug> then server sends random events
  30. # [00:21] <smaug> although they are MessageEvents, their type can be anything
  31. # [00:21] <smaug> so the evil server could possible trigger any event listener on the page
  32. # [00:22] <Hixie> not really
  33. # [00:22] <Hixie> the events don't bubble
  34. # [00:22] <Hixie> he could trigger any capturing event listener in the chain
  35. # [00:22] <smaug> well, capturing event listeners
  36. # [00:22] <Hixie> yes
  37. # [00:22] <smaug> right
  38. # [00:23] <smaug> let's try otherway, what is the reason to have <eventsource>?
  39. # [00:23] <smaug> .addEventSource/.removeEventSource should be IMO enough
  40. # [00:23] <Dashiva> Have you ever seen a capturing listener used without it being an accident or misguided?
  41. # [00:23] <smaug> Dashiva: yes
  42. # [00:23] <smaug> all the time
  43. # [00:23] <Hixie> Dashiva: we've already established teh site author makes serious mistakes
  44. # [00:24] <Hixie> since he's not whitelisting
  45. # [00:24] <Hixie> smaug: so that you can declare an event source simply
  46. # [00:24] <Hixie> smaug: addEventSource() is a pain, and i'd rather remove that altogether frankly
  47. # [00:26] <smaug> why is that pain?
  48. # [00:27] <Hixie> far more power than necessary
  49. # [00:27] <Hixie> being able to do XMLHttpRequest.addEventSource() is just silly
  50. # [00:27] <smaug> well, with the current spec, perhaps yes
  51. # [00:28] <smaug> when the spec had the support for dispatching any kinds of server sent events, the situation was a bit different
  52. # [00:28] <smaug> server-sent-events could have been used to emulate user interaction (at least in some cases)
  53. # [00:29] <smaug> er, simulate
  54. # [00:29] <Hixie> not well, but yes
  55. # [00:30] <smaug> this whole <eventsource> thingie came up in our server-sent-events security review
  56. # [00:31] <smaug> other issue was adopting node to a new document
  57. # [00:31] <smaug> what should happen then
  58. # [00:32] <Hixie> nothing special, why?
  59. # [00:33] <Hixie> (you can't adopt cross-origin)
  60. # [00:33] <smaug> so the connection is kept alive
  61. # [00:33] <Hixie> sure
  62. # [00:33] <smaug> ok
  63. # [00:33] <smaug> fine to me
  64. # [00:33] <Hixie> good good :-)
  65. # [00:33] <smaug> but still, <eventsource> + evil site
  66. # [00:34] <smaug> what to do with that
  67. # [00:35] <smaug> one option could be that <eventsource> shouldn't support AC
  68. # [00:37] <Hixie> dude if we're assuming the site isn't using a whitelist, the site is so owned already there's really not much to discuss
  69. # [00:37] <smaug> eh
  70. # [00:39] <Hixie> e.g. what if the user slides in an <output> element with an onforminput="" attribute?
  71. # [00:42] <smaug> yeah, that is bad
  72. # [00:42] <smaug> for the site
  73. # [00:43] <smaug> and for the vendor which is the first implementator of that feature
  74. # [00:43] <smaug> (vendor X browser users hacked site FooBar)
  75. # [00:45] <Hixie> opera's already implemented <output>
  76. # [00:45] <Hixie> has for years
  77. # [00:45] <Hixie> blacklists are a fast track to getting owned
  78. # [00:46] <Hixie> they are highly insecure
  79. # [00:46] <Hixie> i'm shocked that anyone at mozilla considers them even a plausible security measure
  80. # [00:46] <smaug> I understand whitelisting is what should be done
  81. # [00:46] <smaug> but that isn't what all the site necessarily do
  82. # [00:46] <Hixie> sure, some do neither whitelisting nor blacklisting
  83. # [01:08] * Quits: adrianba (adrianba@131.107.0.80) (Quit: leaving)
  84. # [01:33] * Joins: shepazu (schepers@128.30.52.30)
  85. # [01:34] <smaug> shepazu is alive
  86. # [01:35] <shepazu> smaug: barely!
  87. # [01:35] <shepazu> I can finally breathe, in about 4 days... I'll be back from Japan, with no crazy deadlines looming over my head
  88. # [01:36] * Quits: heycam (cam@130.194.72.84) (Quit: bye)
  89. # [01:52] <MikeSmith> shepazu: you need to get moving if you are going to get to Shibuya
  90. # [01:52] <shepazu> yeah, leaving right now
  91. # [01:59] * Quits: shepazu (schepers@128.30.52.30) (Ping timeout)
  92. # [04:25] * Quits: maxf (maxf@84.202.168.250) (Ping timeout)
  93. # [04:25] * Joins: maxf (maxf@84.202.168.250)
  94. # [04:57] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: sex break)
  95. # [05:55] * Joins: MikeSmith (MikeSmith@mcclure.w3.org)
  96. # [07:59] * Quits: aroben (aroben@71.58.97.175) (Quit: Leaving)
  97. # [08:35] * Joins: heycam (cam@210.84.56.87)
  98. # [08:52] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: sex break)
  99. # [09:29] * Joins: MikeSmith (MikeSmith@mcclure.w3.org)
  100. # [11:06] * Joins: arve (arve@213.236.208.22)
  101. # [12:50] * Joins: ArtB (ce846302@128.30.52.43)
  102. # [13:07] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: sex break)
  103. # [13:08] * Joins: MikeSmith (MikeSmith@mcclure.w3.org)
  104. # [13:12] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: sex break)
  105. # [14:46] * Quits: arve (arve@213.236.208.22) (Quit: Leaving)
  106. # [15:20] * Quits: ArtB (ce846302@128.30.52.43) (Quit: CGI:IRC)
  107. # [15:43] * Joins: ArtB (ce846302@128.30.52.43)
  108. # [16:06] * Joins: aroben (aroben@71.58.97.175)
  109. # [17:10] * Quits: smaug (chatzilla@82.181.141.13) (Client exited)
  110. # [17:13] * Quits: gavin (gavin@63.245.208.169) (Ping timeout)
  111. # [17:14] * Joins: smaug (chatzilla@82.181.141.13)
  112. # [17:49] * Joins: gavin (gavin@63.245.208.169)
  113. # [18:20] * Joins: shepazu (schepers@128.30.52.30)
  114. # [18:49] * Quits: shepazu (schepers@128.30.52.30) (Quit: shepazu)
  115. # [20:01] * Quits: sicking (chatzilla@63.245.220.242) (Client exited)
  116. # [21:43] * Joins: arve (arve@80.202.65.163)
  117. # [22:06] * Quits: ArtB (ce846302@128.30.52.43) (Quit: CGI:IRC)
  118. # [23:40] * Joins: sicking (chatzilla@63.245.220.242)
  119. # Session Close: Sat Nov 15 00:00:00 2008

The end :)