Re: Test Suite and XSS

Le lundi 08 novembre 2010 à 17:00 +0100, Anne van Kesteren a écrit :
> While we had the meeting everyone in the room sort of agreed that the  
> safest solution would be to host the test suite on a domain that could not  
> be made same-origin with using document.domain. And one that would  
> not share cookies either. Dominique suggested that we could instead try to  
> avoid such holes by not putting files that allow for XSS on  
> When I relayed this nobody thought that would be a workable solution.

(FWIW, I'm making progress internally on setting up a separate domain
based on Anne's feedback on this)

> It seems to me the most pragmatic solution here is to use a separate  
> domain. This avoids the hassle of having to carefully review each file for  
> XSS exploits and avoids tests having to be rewritten. It also removes the  
> possibility for an exploit this way which seems like a major win.
> If people could reiterate their own points from the meeting that might  
> help.

I'm particularly interested on more details as to what are the XSS holes
that look hard or impossible to plug.


Received on Monday, 8 November 2010 16:03:09 UTC