W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: <sird@rckc.at>
Date: Thu, 27 Jan 2011 18:24:29 -0600
Message-ID: <AANLkTi=9e-8uHeVejibx3Pb+yiEmz00+82AHar3CJqgt@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Hi!

Just a suggestion, you may prefer to use something like..

<xmp token="xxx" class="security">content here</xmp>

Old UAs will ignore that, another option could be to use <noscript>
but that may be weird, and could cause bad consequences.

Greetings!!
-- Eduardo




On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>
>>> <span security=XXXX>
>>>
>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>>> </span security=XXXX>
>>>
>>
>> Ah but my point is before HTML is rendered the start and end markers should
>> be parsed first. CDATA doesn't matter.
>>
>
> yes, but the point of using XML is that you can use any XML parser and
> not your own parser. You might as well use HTML if you are doing that.
>
> (I am not a big fan of XML -- I am just writing down what I think is
> their point of view).
>
> -devdatta
>
>
>>>
>>> Perhaps a more compatible approach would be:
>>>
>>> <securityXXXX> // With secret token in tag name
>>>  user_content_here
>>> </securityXXXX>
>>>
>>> ...but it's also unlikely to fly with purists.
>>
>> I prefer this maybe with some extra characters that aren't likely to be
>> used:-
>>  <__securityXXXX__> // With secret token in tag name
>>  user_content_here
>> </__securityXXXX__>
>>
>
>
Received on Friday, 28 January 2011 00:25:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 00:25:25 GMT