W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

RE: XSS mitigation in browsers

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Thu, 20 Jan 2011 17:07:22 -0700
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB1A1B1267@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: Michal Zalewski [mailto:lcamtuf@coredump.cx]
> 
> Possibly, but IIRC, this does not happen today with <img>, <script>, etc. IIRC,
> Any codes other than 30x and 401 (and possibly other obscure cases) are
> essentially treated as 200. I suppose this is in line with the tradition of
> ignoring other HTTP information in these cases (Content-Type, Content-
> Disposition), although there are some efforts to improve at least that last
> part.

Any history on why this is the case?  And, what would break if this behavior changed?  

For example, we've never seen a case in recent history where any browser will execute the embedded script in your example when the page is a 302 for example, and yet some vuln scanners still complain about this issue.

I realize lots of people have rich 404-pages, but how much would we really break if we turned that off? No "dynamic content" on a 404? Or, some other heuristic which covers your include case safely, but doesn't impact people's existing 404-pages that embed content.

- Andy
Received on Monday, 24 January 2011 17:58:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 17:58:09 GMT