Re: More on XSS mitigation (was Re: XSS mitigation in browsers) from gaz Heyes on 2011-01-24 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 24 Jan 2011 21:26:55 +0000
To: Gervase Markham <gerv@mozilla.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-ID: <AANLkTiker1fau1DSk8X8GN-uwSCjC6pZpW655Jmpx6AO@mail.gmail.com>

On 24 January 2011 18:29, Gervase Markham <gerv@mozilla.org> wrote:

> On 24/01/11 05:47, Devdatta Akhawe wrote:
>
>> I would also add developing policies for common applications like
>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>> BugZilla and it seemed too much work to do it without enabling
>> inline-scripts.
>>
>
This is a fantastic idea but please lets think ahead, without sandboxed
areas of the site to mark, policy creation per site will be more difficult.
It isn't going to be that simple to just specify a policy of no external
script or events we need finer control over the content. XSS isn't about
just JavaScript it is about using every feature the browser offers to make a
remote/self referring request. For the record I repeat, using a start marker
is a bad idea you need to control zones/areas of the site use start and end
markers.

Received on Monday, 24 January 2011 21:27:27 UTC