W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 30 Jan 2011 11:31:15 -0800
Message-ID: <AANLkTimRC+r3ep-aD6jda5HEFZU5gEoveX70AQzOauPH@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Giorgio Maone <g.maone@informaction.com>, Adam Barth <w3c@adambarth.com>, Gareth Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Anyways, there's not need to argue about this.. you can actually
> create a javascript snippet of code that automatically transforms all
> occurrences of:
>
> <sandbox start="$nonce">
> $user_content
> <sandbox end="$nonce">

Well, that's not backward compatible, dependent on JS, and given the
limitations of sandboxed frames, just slow.

I think the only realistic way we can eventually have this is to have
a method for delivering DOM tree directly to the browser, without the
need to parse it on every client (which, if you come think about it,
is a remarkable waste of CPU resources);  this would give a lot more
freedom to simple web frameworks to tackle XSS.

It's not entirely outlandish, too - after all, we have SPDY to do
roughly the same for HTTP.

/mz
Received on Sunday, 30 January 2011 19:32:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 January 2011 19:32:09 GMT