Computed Style in DOMita
1 view
Skip to first unread message
Mike Samuel
Sep 30, 2008, 7:51:46 AM9/30/08
to Google Caja Discuss, tobie....@gmail.com
I was chatting with Tobie about exposing computed styles in DOMita. I
think this is related to Prototype's Element.getStyle (
http://www.prototypejs.org/api/element/getStyle ). Tobie, can you
confirm?
When discussing DOMado taming rules, we decided to disallow access and
I want to try and write down my recollections of that discussion.
We were basing our taming decisions of several questions:
(1) Does allowing a feature make it difficult for a coder to reason
about what authority they are granting when passing a reference
outside their code?
(2) Does allowing a feature effectively cause a reference to the
object to grant access to an unbounded set of authority? (E.g.
Node.getParentNode effectively granting access to the entire DOM from
any node.)
(3) If (1) or (2) hold, can the excess authority be effectively
mitigated by a simple change in API or semantics? (E.g. changing
getElementById to return a subset of nodes that have an id suffix?
We identified one known attack based on computed style.
http://www.cybersecurity.org.uk/articles/history_profiling.htm
documents this attack:
The core of this profiling is based on the ability to access the
computed
style or current style of an element. It should also be remembered
that
the links had to be supplied, so this could be done with a huge
number
of domains, and brute forcing the profiling.
The larger problem is that this violates (1). Since the computed
style grants the ability to infer information about containing nodes,
it is hard to reason about the authority inherent in a node object.
In
<p>Hello
<b>there</b>
</p>
Having access to the bold tag, in the presence of computed style,
gives access to the font-size, color, background of the containing
element unless those are overridden in the bold tag because of the
cascading nature of CSS rules.
These examples may sound trivial, but this leakage of information
makes it hard to reason about, and there are many inherited
properties.
Then, can it be mitigated per (3)? The surface area of the style node
is huge -- probably larger than the rest of the DOM API. We do have a
schema client side for CSS that can allow us to pick and choose the
bits we allow in computed style, but on what do we base those
decisions?
think this is related to Prototype's Element.getStyle (
http://www.prototypejs.org/api/element/getStyle ). Tobie, can you
confirm?
When discussing DOMado taming rules, we decided to disallow access and
I want to try and write down my recollections of that discussion.
We were basing our taming decisions of several questions:
(1) Does allowing a feature make it difficult for a coder to reason
about what authority they are granting when passing a reference
outside their code?
(2) Does allowing a feature effectively cause a reference to the
object to grant access to an unbounded set of authority? (E.g.
Node.getParentNode effectively granting access to the entire DOM from
any node.)
(3) If (1) or (2) hold, can the excess authority be effectively
mitigated by a simple change in API or semantics? (E.g. changing
getElementById to return a subset of nodes that have an id suffix?
We identified one known attack based on computed style.
http://www.cybersecurity.org.uk/articles/history_profiling.htm
documents this attack:
The core of this profiling is based on the ability to access the
computed
style or current style of an element. It should also be remembered
that
the links had to be supplied, so this could be done with a huge
number
of domains, and brute forcing the profiling.
The larger problem is that this violates (1). Since the computed
style grants the ability to infer information about containing nodes,
it is hard to reason about the authority inherent in a node object.
In
<p>Hello
<b>there</b>
</p>
Having access to the bold tag, in the presence of computed style,
gives access to the font-size, color, background of the containing
element unless those are overridden in the bold tag because of the
cascading nature of CSS rules.
These examples may sound trivial, but this leakage of information
makes it hard to reason about, and there are many inherited
properties.
Then, can it be mitigated per (3)? The surface area of the style node
is huge -- probably larger than the rest of the DOM API. We do have a
schema client side for CSS that can allow us to pick and choose the
bits we allow in computed style, but on what do we base those
decisions?
Tobie Langel
Sep 30, 2008, 9:33:51 AM9/30/08
to Mike Samuel, Google Caja Discuss
On Sep 30, 2008, at 13:51 , Mike Samuel wrote:
> I was chatting with Tobie about exposing computed styles in DOMita. I
> think this is related to Prototype's Element.getStyle (
> http://www.prototypejs.org/api/element/getStyle ). Tobie, can you
> confirm?
Yes, that's correct. You'll find it here:
http://github.com/sstephenson/prototype/tree/master/src/dom.js#L393
You'll also find it in use in YUI:
http://developer.yahoo.com/yui/3/api/dom-style.js.html
jQuery:
http://dev.jquery.com/browser/trunk/jquery/src/core.js#L862
Mootools:
http://github.com/mootools/mootools-core/tree/master/Source/Element/
Element.js#L399
dojo:
http://svn.dojotoolkit.org/src/trunk/src/html/style.js
etc.
Best,
Tobie
Reply all
Reply to author
Forward
0 new messages