W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 27 Jan 2011 16:27:19 -0800
Message-ID: <AANLkTimqyv97gCePuFUyENiWQaH8jLvLG-YQS5V+O5R_@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
>
> <span security="xxxxx">html encoded content</span>
>

You need the token in the end tag too, otherwise the attacker can do </span>

=devdatta

On 27 January 2011 16:25, sird@rckc.at <sird@rckc.at> wrote:
> Oh btw, you could also.
>
> <span security="xxxxx">html encoded content</span>
>
> Or am I missing how this is going to behave being backward compatible?
>
> Greetz
> -- Eduardo
>
>
>
>
> On Thu, Jan 27, 2011 at 6:24 PM, sird@rckc.at <sird@rckc.at> wrote:
>> Hi!
>>
>> Just a suggestion, you may prefer to use something like..
>>
>> <xmp token="xxx" class="security">content here</xmp>
>>
>> Old UAs will ignore that, another option could be to use <noscript>
>> but that may be weird, and could cause bad consequences.
>>
>> Greetings!!
>> -- Eduardo
>>
>>
>>
>>
>> On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>>
>>>>> <span security=XXXX>
>>>>>
>>>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>>>>> </span security=XXXX>
>>>>>
>>>>
>>>> Ah but my point is before HTML is rendered the start and end markers should
>>>> be parsed first. CDATA doesn't matter.
>>>>
>>>
>>> yes, but the point of using XML is that you can use any XML parser and
>>> not your own parser. You might as well use HTML if you are doing that.
>>>
>>> (I am not a big fan of XML -- I am just writing down what I think is
>>> their point of view).
>>>
>>> -devdatta
>>>
>>>
>>>>>
>>>>> Perhaps a more compatible approach would be:
>>>>>
>>>>> <securityXXXX> // With secret token in tag name
>>>>>  user_content_here
>>>>> </securityXXXX>
>>>>>
>>>>> ...but it's also unlikely to fly with purists.
>>>>
>>>> I prefer this maybe with some extra characters that aren't likely to be
>>>> used:-
>>>>  <__securityXXXX__> // With secret token in tag name
>>>>  user_content_here
>>>> </__securityXXXX__>
>>>>
>>>
>>>
>>
>
Received on Friday, 28 January 2011 00:28:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 00:28:16 GMT