W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

RE: XSS mitigation in browsers

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Sun, 23 Jan 2011 22:53:21 -0700
To: Lucas Adamski <ladamski@mozilla.com>, Michal Zalewski <lcamtuf@coredump.cx>
CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB1A26B74C@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Lucas Adamski
> 
> 
> On a conceptual level, I am not really a believer in the current proliferation of
> orthogonal atomic mechanisms intended to solve very specific problems.
> Security is a holistic discipline, and so I'm a big supporter of investing in an
> extensible declarative security policy mechanism that could evolve as the
> web and the threats that it faces do.  

We (=JeffH and I) argued precisely this point at W2SP last year - http://w2spconf.com/2010/  - paper and slides near the bottom.

Our frustration is that with as many security techniques as there sprinkled all over the place, and the results of missing even one being catastrophic (depending on the exact one) it ought to be easier to wrap all of this up in one place.  

I feel for the conflict between easy for the average web developer to use, and comprehensive/complicated, but this isn't easy stuff.  It requires lots of thinking of side effects anyway.  The majority of people are just going to copy+paste policies anyway the way they do for P3P, for java security descriptions, web.xml files, etc.  People will copy common examples, not craft them from scratch. As such policy builders/wizards, and lots of good examples are really the only way to go.

If the real goal is "least privilege" for the Web (that is my goal anyway), we're going to need nuance, complication, etc.

At the same time, maybe there are some things we just can't allow.  Like blurring the line ever more between control, data, and policy by putting policy into html.  Seems to me we've dug a big enough hole with that one... and maybe its time to stop digging.

- Andy
Received on Monday, 24 January 2011 17:12:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 17:12:07 GMT