W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 21 Jan 2011 17:35:55 -0800
Message-ID: <AANLkTimzfHApAeMPakL2oR+LjHCcgU7dVOSEsxZBNbY8@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: public-web-security@w3.org
On Fri, Jan 21, 2011 at 5:19 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> The reason we're here having this discussion is because we'd like to
>> come to an agreement about what to do.
> I wonder if the vendors can settle it, though?

That's what we're doing.  We're doing it in public because we believe
in open standards for an open web.

> Arguments both ways
> make sense, and are somewhat comparable in terms of their
> significance, which can make this difficult. I don't want to get ahead
> of the debate, though, so maybe let's leave it at that :-)
>> Thinking along those lines, what do you think of the following mechanism:
>> <meta name="no-more-script">
>> After this element is added to the DOM, the user agent refuses to
>> compile any more script.  Period.  Full stop.
> That's probably not bad, and pretty flexible in function of its
> simplicity. It's a bit trickier to fit plugins into that model.
> It takes away the ability to use HTTP header policies for sandboxing
> same-origin user HTML, which is a possible if unintended use of CSP.
> We probably don't care, though.
> The one substantial roadblock to embracing this or any other approach
> that limits inline scripting later on in document body is dealing with
> event handlers for UI interaction. Manually attaching several hundred
> of them to document elements from JS code looks like a very major
> With no-more-script approach specifically, you actually need to
> register an onload handler or a 1 ms timeout, or else you won't be
> able to look the relevant elements at the time your JS first executes.
> I wonder how to lessen this pain. I suspect offering some options here
> would be essential to any successful proposal. No idea how to do it
> cleanly, though.

I worried about that originally too.  However, that turns out not to
be that big an issue if you use something like jQuery's "live"


It's actually way more elegant than manually including inline event
handlers in the first place.

Received on Saturday, 22 January 2011 01:37:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC