[Bug 13585] New: [html5] Sandbox disables clickjacking protection

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13585

           Summary: [html5] Sandbox disables clickjacking protection
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.w3.org/mid/1312266482.13091.1.camel@papyrus
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: mike+html-wg-mailbot@w3.org
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


public-html-comments posting from: Philippe De Ryck
<philippe.deryck@cs.kuleuven.be>
http://www.w3.org/mid/1312266482.13091.1.camel@papyrus

The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Summary 
---------
Using a sandbox prevents navigation of the top-level browsing context
(unless specifically allowed), which disables common clickjacking
protection mechanisms. This is problematic if an attacker uses such a
sandbox to frame the victim page.

Based on: HTML5, 11 July 2011
Relevant Sections: 4.8.2. The iframe element

 Issue
-------
In order to perform a clickjacking attack, an attacker can frame the
victim page using a sandbox iframe. The security features of the sandbox
prevent the victim page from navigating the top-level browsing context
to its own URL, as commonly done in clickjacking protection mechanisms.
This effectively disables the victim's page clickjacking protection.

 Recommended Solution
----------------------

Add the following warning to section 4.8.2 (the iframe element) of the
specification: Unwanted sandboxing of legitimate content can disable
javascript-based clickjacking protection mechanisms. To prevent such
attacks, legitimate content should provde adequate clickjacking
protection [1].


[1] Busting frame busting: a study of clickjacking vulnerabilities at
popular sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin
Jackson in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) 



(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Wednesday, 3 August 2011 05:53:01 UTC