W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: <sird@rckc.at>
Date: Thu, 27 Jan 2011 18:25:55 -0600
Message-ID: <AANLkTi=jJSdh=8oJAgN+gktPrpa1z6ES-ouBj5=oec2y@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Oh btw, you could also.

<span security="xxxxx">html encoded content</span>

Or am I missing how this is going to behave being backward compatible?

Greetz
-- Eduardo




On Thu, Jan 27, 2011 at 6:24 PM, sird@rckc.at <sird@rckc.at> wrote:
> Hi!
>
> Just a suggestion, you may prefer to use something like..
>
> <xmp token="xxx" class="security">content here</xmp>
>
> Old UAs will ignore that, another option could be to use <noscript>
> but that may be weird, and could cause bad consequences.
>
> Greetings!!
> -- Eduardo
>
>
>
>
> On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>
>>>> <span security=XXXX>
>>>>
>>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>>>> </span security=XXXX>
>>>>
>>>
>>> Ah but my point is before HTML is rendered the start and end markers should
>>> be parsed first. CDATA doesn't matter.
>>>
>>
>> yes, but the point of using XML is that you can use any XML parser and
>> not your own parser. You might as well use HTML if you are doing that.
>>
>> (I am not a big fan of XML -- I am just writing down what I think is
>> their point of view).
>>
>> -devdatta
>>
>>
>>>>
>>>> Perhaps a more compatible approach would be:
>>>>
>>>> <securityXXXX> // With secret token in tag name
>>>>  user_content_here
>>>> </securityXXXX>
>>>>
>>>> ...but it's also unlikely to fly with purists.
>>>
>>> I prefer this maybe with some extra characters that aren't likely to be
>>> used:-
>>>  <__securityXXXX__> // With secret token in tag name
>>>  user_content_here
>>> </__securityXXXX__>
>>>
>>
>>
>
Received on Friday, 28 January 2011 00:26:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 00:26:48 GMT