W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: gaz Heyes <gazheyes@gmail.com>
Date: Sat, 22 Jan 2011 10:34:06 +0000
Message-ID: <AANLkTikRR_jDbo0eT8cdeoskdNQx+NkqxOTvRiSLQnd8@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 22 January 2011 08:29, Gervase Markham <gerv@mozilla.org> wrote:

> On 21/01/11 22:44, Michal Zalewski wrote:
>
>> 3) Allowing inline scripts guarded by policy-specified nonce tokens
>> (<meta>  says "inline-script-token=$random", inline scripts have
>> <script token="$previously_specified_random">...</script>). This
>> eliminates one of the most significant issues with deploying CSP or
>> this proposal on sites that are extremely concerned about the overhead
>> of extra HTTP requests; for example, much of *.google.com is subject
>> to such concerns.
>>
>
> http://www.gerv.net/security/script-keys/
>

Both this and meta tag are vulnerable to any sort of html attribute
injection, this is why I suggested using both a opening and closing
randomized tag. e.g. <meta nothankyou=' would enclose any existing tags
until the next ' and > which would either disable the intended restriction
or even worse allow you to use the key.
Received on Saturday, 22 January 2011 10:34:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 10:34:38 GMT