W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Joel H. W. Weinberger <jww@eecs.berkeley.edu>
Date: Wed, 26 Jan 2011 15:37:01 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: Gervase Markham <gerv@mozilla.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Message-ID: <20110126233701.GT5103@samuel.EECS.Berkeley.EDU>
I'm currently working on a formal description of our experiences transforming
Bugzilla into a CSP-ready application. Adam's description of our results is
accurate. We were able to get Bugzilla working with CSP and preventing XSS
attacks (i.e. inline scripts disabled), but it was not trivial and the
performance is not great.

At the suggestion of Gervase Markham, I will post a thorough description of my
experiences when I am done to this Bugzilla bug report:
	https://bugzilla.mozilla.org/show_bug.cgi?id=600692
But if anyone has any questions in the meantime, I would be happy to answer
them.
--Joel

On Mon, Jan 24, 2011 at 03:52:30PM -0800, Adam Barth wrote:
> On Mon, Jan 24, 2011 at 10:29 AM, Gervase Markham <gerv@mozilla.org> wrote:
> > On 24/01/11 05:47, Devdatta Akhawe wrote:
> >> I would also add developing policies for common applications like
> >> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
> >> BugZilla and it seemed too much work to do it without enabling
> >> inline-scripts.
> >
> > Did you communicate with the Bugzilla development team while doing this? I
> > didn't see anything cross the mailing list... Getting Bugzilla in a state
> > where it can have a CSP policy would be a great thing. Why not file a bug
> > about it?
> 
> We did this as an experiment to evaluate how easy it was to deploy CSP
> on a real web site.  Joel can tell you more of the details.  We
> eventually got it working, although we had to do some work to avoid
> losing performance.
> 
> Adam
Received on Thursday, 27 January 2011 08:01:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 08:01:06 GMT