W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 11:23:38 +0000
Message-ID: <AANLkTin24toq0Q9o8UcFp91-s=UrRdssznwfH-qVLDMa@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 11:18, Gervase Markham <gerv@mozilla.org> wrote:

> I guess you could defeat this attack by prefixing every script key with the
> string
> '"
> i.e.
> <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>
> But I agree that's a bit of a pain to do. We could make it so that the only
> valid script-keys were ones which began "' ... !
> Gerv

Nope that wouldn't work because <textarea> or similar attacks would continue
parsing until the next </textarea> we'd know which user it was as we have a
lot of the HTML. Maybe you could use CSS based attacks to get round the
quotes too but I've not looked into encoded quotes in CSS and what happens
if a real quote is encountered. Either way I'd still have a start and end
Received on Friday, 28 January 2011 11:24:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 11:24:10 GMT