Re: Test Suite and XSS

On Nov 8, 2010, at 8:02 AM, Dominique Hazael-Massieux wrote:

> Le lundi 08 novembre 2010 à 17:00 +0100, Anne van Kesteren a écrit :
>> While we had the meeting everyone in the room sort of agreed that the  
>> safest solution would be to host the test suite on a domain that could not  
>> be made same-origin with w3.org using document.domain. And one that would  
>> not share cookies either. Dominique suggested that we could instead try to  
>> avoid such holes by not putting files that allow for XSS on test.w3.org.  
>> When I relayed this nobody thought that would be a workable solution.
> 
> (FWIW, I'm making progress internally on setting up a separate domain
> based on Anne's feedback on this)
> 
>> It seems to me the most pragmatic solution here is to use a separate  
>> domain. This avoids the hassle of having to carefully review each file for  
>> XSS exploits and avoids tests having to be rewritten. It also removes the  
>> possibility for an exploit this way which seems like a major win.
>> 
>> If people could reiterate their own points from the meeting that might  
>> help.
> 
> I'm particularly interested on more details as to what are the XSS holes
> that look hard or impossible to plug.

I think it is more a matter of expected volume of tests than specific exploits. We expect a thorough test suite for HTML5 will run north of 100,000 tests. Many of the tests will run script, and a number of them will be deliberately probing edge cases of the same-origin security policy. Carefully reviewing all these tests for XSS vulnerability, or for that matter CSRF vulnerability, is probably beyond the means of the working group.

Regards,
Maciej

Received on Monday, 8 November 2010 16:21:17 UTC