Hi! Ok maciej, that makes sense.. Links for example may also hold sensitive information (actually the original PoC was to read links.. then we figured out that passwords/forms/inputs were better and easier), and I can see the case where devs want to use them there.. so it wouldnt be a real option in my opinion. What about blocking completely: input[type=hidden][value$=] input[type=hidden][value^=] input[type=hidden][value*=] input[password][value$=] input[password][value^=] input[password][value*=] input[password][value=] (to avoid dictionary attacks) a[rel*=nofollow][href$=] a[rel*=nofollow][href^=] a[rel*=nofollow][href*=] iframe[src$=] iframe[src^=] iframe[src*=] frame[src$=] frame[src^=] frame[src*=] and eventhandlers as a whole (everything starting with on*) since devs usually put nonces inthere. Am I missing something? Greetings!! -- Eduardo http://www.sirdarckcat.net/ On Tue, Dec 8, 2009 at 11:37 PM, gaz Heyes <gazheyes@gmail.com> wrote: > 2009/12/8 Maciej Stachowiak <mjs@apple.com> > >> Both of these would store any interesting information as text nodes inside >> the element. I don't believe any current selectors let you select based on >> text contents of the element. >> > > So the problem is we don't want the selectors to be used for certain > elements but those elements vary. Then why don't we have a sensitive > attribute with a HTML element which effectively disables the selectors. > Something like:- > > <input type="text" sensitive="true" /> > > or selectively enable the selectors like:- > <input type="text" css-selectors="true" /> >
Received on Tuesday, 8 December 2009 15:53:41 UTC