W3C home > Mailing lists > Public > public-identity@w3.org > December 2011

Re: The javascript runtime, XSS, and javascript crypto...

From: David Dahl <ddahl@mozilla.com>
Date: Tue, 13 Dec 2011 08:29:49 -0800 (PST)
To: Tom Ritter <tom@ritter.vg>
Cc: public-identity@w3.org, Harry Halpin <hhalpin@w3.org>
Message-ID: <2137342106.556.1323793789769.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
----- Original Message -----
> From: "Tom Ritter" <tom@ritter.vg>
> To: "Harry Halpin" <hhalpin@w3.org>
> Cc: public-identity@w3.org
> Sent: Tuesday, December 13, 2011 8:50:27 AM
> Subject: Re: The javascript runtime, XSS, and javascript crypto...
> > Again, look at the CSP spec and tell us if this fulfills your
> > use-case.
> 
> Content Security Policy is another approach to solve the problem where
> a single XSS flaw can poison the entire javascript runtime and subvert
> the critical code. It has its pros and cons.
> 

> [1] CSP would only be deployed this way for an application built
> ground-up. After dealing with companies - I can hardly imagine any of
> them investing the effort to make their app "no unsafe-inline"
> compliant.

Upon further reflection on this, perhaps what is needed instead is a browser mode like "Private Browsing Mode" in Firefox that is "Enhanced Security Mode", with certain CSP settings in place, SSL (with pinning required) and other restrictions or enhancements. What else is missing? There will no doubt be a demand for this kind of mode for browsers, in fact, there already must be from business and government.

Regards,

David
Received on Tuesday, 13 December 2011 16:32:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 13 December 2011 16:32:49 GMT