This Week in HTML 5 - Episode 7
September 29th, 2008 by Mark Pilgrim, Google
Welcome back to "This Week in HTML 5," where I'll try to summarize the major activity in the ongoing standards process in the WHATWG and W3C HTML Working Group.
Work continued this week on Web Forms 2, but I'm going to hold off on that until next week. And in case you missed it, Ian Hickson gave a tech talk on HTML 5, including live demos of some features recently implemented in nightly browser builds.
The big news this week is the disclosure of a vulnerability that researchers have dubbed "clickjacking." To understand it, start with Giorgio Maone's post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, NoScript protects against this vulnerability on most sites in most situations; you can configure it to defeat the attack entirely, but only at the cost of usability and functionality.
Of course, most web users do not run Firefox, and fewer still run NoScript, so web developers still need to be aware of it. Michal Zalewski's post, Dealing with UI redress vulnerabilities inherent to the current web, addresses some possible workarounds:
window.top != window to inhibit rendering, or override window.top.location. These mechanisms work only if Javascript is enabled, however, and are not guaranteed to be reliable or future-safe. If the check is carried on every UI click, performance penalties apply, too. Not to mention, the extra complexity is just counterintuitive and weird. Requiring non-trivial reauthentication (captcha, password reentry) on all UI actions with any potential for abuse. Although this is acceptable for certain critical operations, doing so every time a person adds Bob as a friend on a social networking site, or deletes a single mail in a webmail system, is very impractical.Worried yet? Now let's turn to the question of what browser vendors can do to mitigate the vulnerability. Michal offers several proposals. It is important to realize that none of these proposals have been implemented yet, so don't go rushing off to your text editor and expecting them to do something useful.
To this list, Colin Jackson added two more suggestions:
This last approach moves us down a slippery slope towards site security policies for IFRAMEs and embedded content, similar to the Flash security model that allows trusted sites to access cross-domain resources. In practice, Flash crossdomain.xml files have a number of problems, and such an approach would still only cover a fraction of the possible use cases.
You can read the full thread for all the gory details and back-and-forth among browser vendors (Maciej Stachowiak works on WebKit, Robert O'Callahan works on Firefox) and other interested parties. As Maciej notes, user experience may suffer: "[Under proposal #3] iGoogle widgets would become disabled if scrolled partially off the top of the page under your proposal. And even if scrolled back into view, would remain disabled for a second. With possibly a jarring visual effect, or alternately, no visual indication that they are disabled. Hard to decide which is worse." As Rob notes, any solution will also need to deal with IFRAMEs styled with opacity:0, related attacks using some little-known (but widely supported) capabilities of SVG, and possibly other vectors that the world collectively hasn't figured out yet. If you're getting a mental image of the game "Whack-a-Mole," you're not alone.
Ironically, the best example of "clickjacking" is the download page for the NoScript extension, which uses it for good rather than evil. Thanks to some fancy JavaScript (search for "installer"), Giorgio embeds the addons.mozilla.org download page for NoScript in an IFRAME on his own page on noscript.net, sets the IFRAME to "opacity:0" (an attack vector that Robert O'Callahan specifically warned about), scrolls the embedded addons.mozilla.org page to the top corner of its "Add to Firefox" button, and sets the z-index of the IFRAME to 100. Thus, the IFRAME is floating (due to "z-index:100") invisibly (due to "opacity:0") over Giorgio's own "Install Now" button (due to the positioning of the IFRAME element itself). When you think you're clicking the button on noscript.net you are actually clicking the button on addons.mozilla.org. What's the difference? By default, Firefox treats addons.mozilla.org as a trusted download site, so it immediately pops up the extension installation dialog instead of blocking the installation with an infobar saying "Firefox prevented this site (noscript.net) from installing software on your computer." From a user experience standpoint, this is great -- one less click to download and install an extension. From a security standpoint, this is incredibly scary -- the end user has no idea they're interacting with a third-party site.
Ian Hickson, the editor of HTML 5, weighed in with his opinion:
I would like feedback from browser vendors on this topic, ideally in the form of experimental implementations. Personally I think the idea of disabling the contents of a cross-origin iframe that has been partially obscured or rendered partially off-screen is the best idea, but whether we can adopt it depends somewhat on whether browser vendors are willing to adopt it and implement it. It requires no standards changes to implement.
Tune in next week for another exciting episode of "This Week in HTML 5."
September 29th, 2008 at 19:55
Hi Marc!
Thanks for explaining how the install button trick works, I couldn’t find better words
Would you mind to fix the NoScript link above (it’s relative rather than absolute and goes 404)?
Jean-Baptiste Clamence Says:September 30th, 2008 at 11:50
do not forget last week in html5
Ajaxian » This Week in HTML 5: Clickjacking Says:September 30th, 2008 at 12:47
[...] Pilgrim, in his latest episode on This Week in HTML 5, got into an interesting topic indeed: clickjacking. The big news this week is the disclosure of a [...]
Mark Pilgrim, Google Says:October 1st, 2008 at 15:22
@Giorgio: fixed, thanks.
Daniel Axelrod Says:October 2nd, 2008 at 02:39
Is anybody even sure that the term “clickjacking” as used by Mr. Hansen and Mr. Grossman refers to the same thing as the UI Redress vulnerability?
Mr. Maone has certainly done an excellent bit of deduction from available information. However, I wonder if it might be prudent to wait to propose solutions to “clickjacking” until the original researchers tell us exactly what “clickjacking” is. UI Redress may only be part of it.
Of course, that’s not to say UI Redress isn’t a legitimate concern on its own, and I appreciate your efforts to find a solution to it.
The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 8 Says:October 8th, 2008 at 15:03
[...] The WHATWG Blog Please leave your sense of logic at the door, thanks! « This Week in HTML 5 - Episode 7 [...]
Ajaxian » This Week in HTML 5: Web Forms 2, Search, and more Says:October 11th, 2008 at 05:43
[...] up on last week’s article on clickjacking, the security researcher who discovered (and named) it has posted details of his discovery. Short [...]