W3C home > Mailing lists > Public > public-web-security@w3.org > December 2012

CSP - Prevent DOM XSS only?

From: Eduardo' Vela <evn@google.com>
Date: Sat, 8 Dec 2012 19:57:19 -0600
Message-ID: <CAFswPa8CKeZwsvdE8RQLs0xgbZTWOQgUkWudAA-i=OVSPWXV8A@mail.gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>, Adam Barth <w3c@adambarth.com>
Hi!

For some pages (think, static content, or heavy JS sites), the only risk of
XSS is DOM XSS, and one can't realistically convert all inline scripts to
outline for performance reasons.

ATM the only way to protect these pages is by creating the CSP header when
the document finished loading (after onload or so), however that won't
catch the scripts that are created before load time, like
<script>xx.innerHTML=xxx</script>

I want to propose something, maybe for CSP 1.1, 1.2, 1.x 2.x or whatever,
that allows us to disable the behavior that makes innerHTML introduce XSS
(and so, make innerHTML safe by default).

Of course the same has to be done to insertAdjacentHTML, outerHTML, etc..
but the idea still holds.

It's unclear to me how to define an API for this, but here's a stab:
 * script-src unsafe-static-inline
 *  document.write/innerHTML/etc.. won't execute scripts.

In the future one could expand the syntax to only allow "safe" strings or
"untainted" strings.. but I don't want to go into details about that.

The objective of this thread is to ignite discussion and flaming, I don't
realistically expect everyone to agree on something any time soon.
Received on Sunday, 9 December 2012 01:58:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 9 December 2012 01:58:07 GMT