W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: John Wilander <john.wilander@owasp.org>
Date: Mon, 24 Jan 2011 22:24:27 +0100
Message-ID: <AANLkTimP7Hh0bEMLTJFvz1xSJYWAR8WtbtUoN28G7-YW@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: gaz Heyes <gazheyes@gmail.com>, Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Commenting myself  the best kind of commenting ...

2011/1/24 John Wilander <john.wilander@owasp.org>

> *Scripts vs Domains*
> I think we will have to be very clear in the spec on whether we're trusting
> scripts or domains. NoScript is actually NoDomain which I've tried to
> explain numerous times but IT people still interpret NoScript as actually
> filtering scripts.
>

This should really be Scripts vs Script references vs Domains since all
three have been suggested:

   - Signatures => filtering on scripts, effectively lexical layout and
   encoding of scripts, not semantics.
   - Nonces or full URLs => filtering on script references. One reference
   may point to N scripts and M references may point to one script. Developers
   often use bogus URL changes to circumvent caches so this is a reality.
   - Domains.

   /John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
http://www.owasp.org/index.php/Summit_2011
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
http://www.owasp.org/index.php/Global_Conferences_Committee
Received on Monday, 24 January 2011 21:28:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 21:28:50 GMT