W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 24 Jan 2011 21:26:55 +0000
Message-ID: <AANLkTiker1fau1DSk8X8GN-uwSCjC6pZpW655Jmpx6AO@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 24 January 2011 18:29, Gervase Markham <gerv@mozilla.org> wrote:

> On 24/01/11 05:47, Devdatta Akhawe wrote:
>
>> I would also add developing policies for common applications like
>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>> BugZilla and it seemed too much work to do it without enabling
>> inline-scripts.
>>
>
This is a fantastic idea but please lets think ahead, without sandboxed
areas of the site to mark, policy creation per site will be more difficult.
It isn't going to be that simple to just specify a policy of no external
script or events we need finer control over the content. XSS isn't about
just JavaScript it is about using every feature the browser offers to make a
remote/self referring request. For the record I repeat, using a start marker
is a bad idea you need to control zones/areas of the site use start and end
markers.
Received on Monday, 24 January 2011 21:27:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 21:27:27 GMT