W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 20 Jan 2011 22:11:11 +0000
Message-ID: <AANLkTin7LdFmXcJcjJyrLTStLmSeNNoJxgzWqNbmYqci@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
On 20 January 2011 21:47, Brandon Sterne <bsterne@mozilla.com> wrote:

> I don't think the use of HTML tags instead of HTTP headers is
> well-justified.  The obvious drawback to using <meta> tags is that the
> whole model can be subverted by an attacker who manages to inject his
> attack code or bogus policy tag above the site's legitimate policy tag.
>  Mozilla considered the use of <meta> tags as an alternative to the
> header, but we ultimately decided that the risk outlined above outweighs
> the usability gained by allowing the policy to be expressed as a tag.

I sort of agree with this even though I suggested a link tag however the
average dev won't use HTTP headers! They will be to complex to configure and
nobody will apply the rules correctly or even know which rules they should
be using. One way would be to automatically look for the existence of a CSP
file in the root of the server, I know it's bad that the browser makes a
extra http request but that way the dev only needs to create a policy file
on the server. I think we should have policy files that mimic CSS syntax and
even provide W3c validation, devs are obsessed with validating their HTML
they even place images saying that the site is validated and it is a
requirement for some companies to have a correctly formed site, if the site
doesn't validate because it doesn't have a correct security policy then devs
will be forced to make one. We can force security on them :)
Received on Thursday, 20 January 2011 22:11:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC