[Webkit-unassigned] [Bug 10313] xsl:import and document() don't work in stylesheets loaded via XMLHttpRequest

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 3 10:40:51 PDT 2010


--- Comment #67 from Adam Barth <abarth at webkit.org>  2010-09-03 10:40:49 PST ---
> * A stylesheet created from DOMParser.parseFromString inherits Referer-URI
>   and security origin from the frame's document.
> Also, I don't understand Adam's concerns about DOMParser.parseFromString().
> How can parsing an XML document in any way open up for XSS attacks?

Notice that in our proposal you imbued the bytes given to parseFromString with the caller's security origin.  If those bytes are untrusted by the caller, you just gave the attacker the honest principal's authority.  That's XSS.

> Sure,
> you can take the node and insert it into you DOM or execute it as a
> stylesheet, but how is that different from doing eval() on any other
> string?

Evaling a string also imbues the string with your authority.  That means folks are careful not to eval untrusted strings.  However, it seems entirely reasonable to parse an untrusted string using DOMParser.

> Indeed, embedding a small stylesheet in JS code that uses a few
> xsl:import tags sounds quite useful to me, and I would expect it to work.

Whether or not it's useful, we need to get the security right first.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list