W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

RE: XSS mitigation in browsers

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Thu, 20 Jan 2011 16:59:17 -0700
To: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>
CC: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB1A1B1251@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Michal Zalewski
> 
> Specifically, consider that within any medium-complexity domain
> (mozilla.com, google.com, facebook.com), you can almost certainly discover
> a location that returns HTML-escaped attacker-supplied text in a context that
> would parse as valid JavaScript. This is easier than expected particularly in
> browsers that support E4X - such as Firefox.
> If I have a 404 HTML page saying:

Not to nitpick on this bug too much, but regardless of the underlying parsing issue, shouldn't the browser refuse to load this resource when it gets returned with a 404 error code?

At least we'd exclude the one corner case then, right?

- Andy
Received on Monday, 24 January 2011 17:58:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 17:59:12 GMT