- From: David Bruant <bruant.d@gmail.com>
- Date: Thu, 01 Mar 2012 10:10:23 +0100
- To: Adam Barth <w3c@adambarth.com>
- CC: Daniel Veditz <dveditz@mozilla.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Le 29/02/2012 23:04, Adam Barth a écrit : > I'm sorry, but the platform cannot current support your use case. > There are only two levels of trust in the platform: either you trust a > document or you don't. If you trust the document, then it can do > anything that you can do. If you don't trust it, then you're fully > isolated from it and can communicate with it using postMessage, etc. This limitation of "2 levels of trust" is exactly what got us screwed in web security in the first place. The "if you trust, it can do anything you can do" case is what allows XSS to be successful. "2 levels of trust" is what should be addressed. And it is. This is *exactly* the very reason CSP is being invented: CSP allows finer granularity to declare for one document what we trust and what we do not trust. As an example, the different combinations of the script-src directive are as many different levels of trust. You load a document and decide to trust: 1) no script at all 2) some scripts sources (list declared in the directive) 3) some scripts sources without unsafe evals 4) no inline scripts 5) some scripts, but with reduced connectivity capabilities (connect-src directive) These reflect different levels of trusts in the document you load (it's not an exhaustive list). I would be fine with arguments saying that the directive I propose is of the wrong granularity, a bad idea because doesn't protect from what I want it to protect, or because the attack I'm describing is too marginal. But "the platform cannot current support your use case, There are only two levels of trust in the platform" does not seem to be a valid argument. David
Received on Thursday, 1 March 2012 09:11:02 UTC