W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 24 Jan 2011 15:57:32 -0800
Message-ID: <AANLkTim-0Uuz5enUa85CpTa2c2-xV0jURtU_BBMAcrEV@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Gervase Markham <gerv@mozilla.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
On Mon, Jan 24, 2011 at 1:26 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 24 January 2011 18:29, Gervase Markham <gerv@mozilla.org> wrote:
>> On 24/01/11 05:47, Devdatta Akhawe wrote:
>>> I would also add developing policies for common applications like
>>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
>>> BugZilla and it seemed too much work to do it without enabling
>>> inline-scripts.
>
> This is a fantastic idea but please lets think ahead, without sandboxed
> areas of the site to mark, policy creation per site will be more difficult.
> It isn't going to be that simple to just specify a policy of no external
> script or events we need finer control over the content. XSS isn't about
> just JavaScript it is about using every feature the browser offers to make a
> remote/self referring request. For the record I repeat, using a start marker
> is a bad idea you need to control zones/areas of the site use start and end
> markers.

Finer-grain control is a bit trickier.  So far, no browser has
finished implementing srcdoc/sandbox/seamless, which is the HTML5
approach to addressing this use case.  The another tech-tree that
folks are exploring in this space is ECMAScript-based using SES.
That's also not quite done yet either.

Personally, I'm hopeful that some combination of XBL2 and SES will
allow for assembling an HTML document out of mutually distrusting
components.  Admittedly, it's not a "quick fix", but combining those
approaches has a lot of promise.

Adam
Received on Monday, 24 January 2011 23:58:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 23:58:38 GMT