UserPreferences

PaceFormatSecurity


Abstract

Fill out the security section of the format spec.

Status

Open

Author: JoeGregorio

Much of the material presented here has been covered by Mark Pilgrim in his post on consuming RSS Safely:

http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely

Rationale

Security is more than just encryption and signatures.

Proposal

Add the following text to ""10 Security Considerations""

10.1 HTML and XHTML Text Constructs

Text Constructs allow the delivery of HTML and XHTML into a client application
which may then display that (X)HTML. Because that (X)HTML may be displayed 
either in a web browser or via an embedded web browser in a desktop application, many 
security concerns will arise since that (X)HTML may be displayed in a different 
context from which it was originally served. A consuming application needs
to be very careful about the context in which that (X)HTML is displayed to avoid
cross site scripting attacks and other forms information leakage.

An aggregator will certainly display the (X)HTML of a Text Construct in a
different context than if an HTML page had been loaded from the same server
as that had served up the Atom feed. That is, the (X)HTML may be displayed 
through a different web site if is a web based aggregator, or as a local file
if the aggregator is a desktop kind. There are also aggregators that serve files
up via a web server that run off the desktop. Because of these differening 
contexts there is an opening for cross site scripting attacks or other forms of 
information leakage. The following is a short list of the potential problems that
processing and displaying markup can cause. This list is not comprehensive 
and every consumer of Atom must consider carefully which elements and attributes are 
appropriate to process and display.

10.1.1 HTML

The following elements are consider 'unsafe' in that they 
open clients to one or more types of attack. Every client should 
consider carefully their handling of each of them when processing
incoming (X)HTML in Text Constructs.

10.1.1.1 IMG Element

The image element may pose a threat by inadvertely leaking information. That is, a
hostile feed may include a Text Construct with a "web bug", a 1x1 pixel image
that gets loaded invisibly to the user. The request itself and the referral information
the client application provides may leak information about who is reading the 
content and when the content was read. 

10.1.1.2 SCRIPT Elements and Attributes

All SCRIPT elements and attributes that allow script, such as 'onLoad', can be
potentially dangerous. Scripting languages like ECMAScript allow changing the 
displayed markup and possibly making further HTTP requests. 

10.1.1.3 EMBED and OBJECT Elements

The danger EMBED and OBJECT elements is loading up an an embedded object in an unsafe context.
For example an ActiveX control could be run in local context considered safe
while it would not normally be loaded from it's origin site which was 
considered unsafe. ActiveX is not the only technology to suffer from this
problem, SVG allows JavaScript to be embedded in it, and if displayed in an
EMBEB or OBJECT element could open the client up to a cross site scripting 
attack.

10.1.1.4 FRAME, FRAMESET, and IFRAME Elements

The FRAME, FRAMESET, and IFRAME Elements allow loading (X)HTML in from a 
different context.

10.1.1.5 META Elements

Some (X)HTML processors are very loose in what they will accept for HTML, including 
processing elements that would normally appear in the HEAD of a document even when
they are present in the BODY. Such a loose (X)HTML processor may process a META element
which could redirect the HTML processor to load another page.

10.1.1.6 LINK Elements

The same loose processing that may inadvertenly pick up META elements can also
pick up LINK elements which can cause CSS Stylesheets to be loaded. Please see
Section 10.1.2 on the potential problems with CSS.

10.1.2 CSS 

The processing of CSS (Cascading Stylesheets) also has security concers. CSS allows the 
loading of images, which has all the same concerns as the IMG element [Section 10.1.1.1].
In addition CSS allows HTML elements to be hidden or positioned absolutely. If a group
of syndication feeds are processed and displayed in a single HTML page then some errant or
malicious CSS could ovelay the entire page with a single large image repeated endlessly, thus
rendering the entire page unusable. Some browsers also support proprietary extensions which allow
the execution of scripts within CSS. 

When considering CSS please note that there are multiple ways to include
CSS in (X)HTML. The STYLE element can contain CSS, LINK elements can import
external CSS files, and STYLE attributes can contain inline CSS.

10.1.3 URIs

Since any consumer of an Atom feed will be processing URIs, the security concerns
for handling URIs must also be taken into account. See Section 7 of RFC 3986.

10.1.4 IRIs

Since any consumer of an Atom feed will be processing IRIs, the security concerns
for handling IRIs must also be taken into account. See Section 8 of RFC 3987.

Impacts

Notes

Added a line about removing 'onLoad' attributes and their ilk.


CategoryProposals