W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 15:16:36 -0800
Message-ID: <AANLkTi=LR1WP=w-DK1pwfH8Fab+nG14VfC02j6YUPxi4@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org
> Your approach seems, generally, to provide all the various options
> when you think more than one thing might make sense.  At a high level,
> I don't think that's a good approach.

My general concern is that there is a risk of the discussion devolving
into nit-picking over peripheral aspects that have comparable merits,
potentially leading to fragmentation (CORS vs Microsoft's
XDomainRequest; toStaticHtml versus innerSafeHtml). If these are the
key differentiators between competing proposals, and the reasons why
WebKit or MSIE may end up with an approach incompatible with Firefox,
then I think a less principled stand may be ultimately more
beneficial, even if it results in a less elegant specification.

That said, #1, #2, and #3 aside, I think the concern in #4 - the
practical safety of scoping these policies to origin level - deserves
some consideration sooner than later (also in the context of CSP).

/mz
Received on Friday, 21 January 2011 23:17:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 23:17:29 GMT