W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 14:47:13 -0800
Message-ID: <AANLkTiknmFEV8vNeTGins9KU+6+79yaK8AqnncFjb1sZ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> The <meta> tag raises the issue of what to do if the policy is found
> after something that should have been covered by the policy. Ignore
> the policy (too late!), ignore the violation (injected scripts win),
> maybe reparse the document from the beginning and hope there weren't
> earlier violations that matter? Not insurmountable, but definitely
> will add to the complexity of the spec.

Yes, that's a problem if you allow multiple <meta> tags to specify a
single valid policy. In Adam's proposal, the policy must appear in a
single tag, which allows you to simply ignore all subsequent <meta>s
that would broaden the policy (and it can't be narrowed down, ruling
out the risk of policy deployment errors that accidentally give too
much access because of this parsing precedence).

Received on Friday, 21 January 2011 22:48:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC