W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 14:47:13 -0800
Message-ID: <AANLkTiknmFEV8vNeTGins9KU+6+79yaK8AqnncFjb1sZ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> The <meta> tag raises the issue of what to do if the policy is found
> after something that should have been covered by the policy. Ignore
> the policy (too late!), ignore the violation (injected scripts win),
> maybe reparse the document from the beginning and hope there weren't
> earlier violations that matter? Not insurmountable, but definitely
> will add to the complexity of the spec.

Yes, that's a problem if you allow multiple <meta> tags to specify a
single valid policy. In Adam's proposal, the policy must appear in a
single tag, which allows you to simply ignore all subsequent <meta>s
that would broaden the policy (and it can't be narrowed down, ruling
out the risk of policy deployment errors that accidentally give too
much access because of this parsing precedence).

/mz
Received on Friday, 21 January 2011 22:48:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 22:49:02 GMT