W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 19 Jan 2011 16:29:18 -0800
Message-ID: <AANLkTi=Fz9JBVm5DaSoFPw4zD=v1S6yF_4Wqqi+BLbO4@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Giorgio Maone <g.maone@informaction.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
> 2) Writing a correct JavaScript program that enforces a reasonable
> security policy is somewhat tricky.  For example, we have a bunch of
> implementation experience with postMessage that shows that folks often
> write incorrect regular expressions when trying to filter messages.
> By using a more declarative policy language with a restricted syntax,
> we make it harder for folks to shoot themselves in the foot.

Declarative approaches are also way easier to audit.

FWIW, Ulfar proposed arbitrarily policing script behavior
(http://www.usenix.org/event/hotos07/tech/full_papers/erlingsson/erlingsson.pdf).
While that's an interesting piece of research, I think it's also a
good cautionary tale against offering too much flexibility where it
may be not necessary =)

/mz
Received on Thursday, 20 January 2011 00:30:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 January 2011 00:30:13 GMT