W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 19 Jan 2011 16:29:18 -0800
Message-ID: <AANLkTi=Fz9JBVm5DaSoFPw4zD=v1S6yF_4Wqqi+BLbO4@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Giorgio Maone <g.maone@informaction.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
> 2) Writing a correct JavaScript program that enforces a reasonable
> security policy is somewhat tricky.  For example, we have a bunch of
> implementation experience with postMessage that shows that folks often
> write incorrect regular expressions when trying to filter messages.
> By using a more declarative policy language with a restricted syntax,
> we make it harder for folks to shoot themselves in the foot.

Declarative approaches are also way easier to audit.

FWIW, Ulfar proposed arbitrarily policing script behavior
While that's an interesting piece of research, I think it's also a
good cautionary tale against offering too much flexibility where it
may be not necessary =)

Received on Thursday, 20 January 2011 00:30:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC