W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 29 Jan 2011 21:43:38 -0800
Message-ID: <AANLkTi=WHMHDL8qr2kyUUVCw-062HZXfc6yaNUuj5Pm0@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, Gareth Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Anyways, I digress.. the conclusion, from my point of view is that we
> don't need XML data tokens if we have sandboxed iframes with srcdoc.

I think there is a substantial advantage of being able to output small
chunks of untrusted data as-is - note that this is the problem this
sub-thread started with - and simply mark the relevant section of the
page as restricted in some way (no HTML parsing at all, no scripting,
no external subresources, etc).

I sort of suspect that making this possible would be the single most
effective way to put a dent in XSS; certainly more convenient than any
restrictive, page-wide script policies.

I think that sandboxed frames do not solve this problem, because:

1) Their performance / memory usage impact will probably render them
largely impractical to put several dozen or hundred of them on a
single page - and this is how many bits of untrusted text you may have
on a page of a typical discussion forum or a mail client. Sandboxed
frames solve the problem of untrusted gadgets, third-party documents,
and some other cases like this, but not that of your typical
discussion forum or so.

[ Because of this, I am actually wondering if the combination of
sandbox + seamless is going to be that useful. ]

2) For simple text-only output, the need to apply a specific transform
to the payload (and do it well) is arguably comparable with the
difficulty of avoiding XSS in the same scenario.

That said, this is sort of moot, because through the years, nobody
could propose a broadly acceptable way to do this without
substantially changing HTML / XML.

/mz
Received on Sunday, 30 January 2011 05:44:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 January 2011 05:44:32 GMT