Reading links wouldn't be protected by gareth solution. (nonces on links for example, and other potential sensitive information..). Btw, I think NoScript will start protecting it's users against this attack on the near future (kudos to Giorgio).. it's a bit complicated because of @charset rules and UTF BOMs.. but it's probably gonna work.. he is going to disable attribute selectors (*=, ^=, $=) on some cases.. I'm not aware of the details yet.. but I think that's great news!! -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Tue, Dec 8, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Dec 8, 2009 at 1:24 AM, gaz Heyes <gazheyes@gmail.com> wrote: > > 2009/12/8 Adam Barth <w3c@adambarth.com> > >> One of my favorite parts about security is that "the buck stops here," > >> meaning finger-pointing about who's responsible for what doesn't > >> really matter. In the end, we need to consider the security of the > >> system as a whole. > >> > >> If you agree that we ought to do something about the threat of > >> stealing CSRF tokens with attribute selectors, then the question > >> becomes "what should we do?" not "who's responsible for the problem?" > >> > >> So, what should we do? > > > > One possible solution would be to ignore hidden field types and password > > field types when using selectors. > > That seems to address the proximate issue, but it feel like > blacklisting. Are there other related attacks we're not thinking of > that would make sense to address at the same time? > > Adam > >
Received on Tuesday, 8 December 2009 09:38:21 UTC