Re: ACTION-1001: Review Charles tests on XSS from Charles McCathieNevile on 2009-09-02 (public-bpwg@w3.org from September 2009)

From: Charles McCathieNevile <chaals@opera.com>
Date: Wed, 02 Sep 2009 22:39:36 +0600
To: "Francois Daoust" <fd@w3.org>, "Mobile Web Best Practices Working Group WG" <public-bpwg@w3.org>
Message-ID: <op.uzm1wamnwxe0ny@widsith.local>

On Mon, 31 Aug 2009 18:55:38 +0600, Francois Daoust <fd@w3.org> wrote:

> Hi,
>
> I had a look at the tests Charles provided for CT around the same origin  
> policy.
...
>   http://lists.w3.org/Archives/Public/public-bpwg/2009Jun/0125.html
>
> The tests consist of 4 tests and cover basic checks on the same origin  
> policy. They do seem correct, although I do not pretend to be a security  
> expert.
>
> What seems safe to assert:
> - There exist more possibilities out there to run into cross-site  
> scripting (XSS) troubles....
> Even though these bugs are not trivial to exploit, it is reasonable to  
> expect similar bugs will be found in CT proxies implementations. It does  
> not seem reasonable to believe we can cover these possibilities with a  
> few simple tests.
>
> - The tests cannot be run without Javascript support.

True. Nor can cross site scripting.

> Cookies may still be an issue when Javascript is off. I think most CT  
> proxies remove scripts from content they transcode at this point, making  
> it hard to detect such issues automatically.
>
> - CT proxies replace security at the client by security in the middle of  
> the network. Browser security settings that users (or companies) may set  
> on their browser and that relate to the same origin policy will have no  
> effect once a CT proxy is there and rewrites links. I do not know of any  
> mobile browser where advanced security settings and/or corporate  
> security policies may be set for the time being.
>
> So the question is: what is the group trying to do here? Ensure basic  
> cross-site scripting is not possible? The tests look good in that case.

I think we are checking that the proxy has at least done the obvious  
things required. Is there any reason not to expect security advisories to  
be raised against specific exploits for proxies in the same way as they  
can be raised against almost all other software?

> Ensure cross-site scripting is never possible? That is impossible to  
> assert.

Probably true, and I don't think it is the goal here. That comes down to a  
quality question, and so far we have not demanded anything else be 100%  
bug-free so insisting on it here would be inconsistent as well as setting  
what seems an impossible barrier.

cheers

Chaals

-- 
Charles McCathieNevile  Opera Software, Standards Group
     je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals       Try Opera: http://www.opera.com

Received on Wednesday, 2 September 2009 16:40:22 UTC