Re: Test Suite and XSS

On Nov 8, 2010, at 8:02 AM, Dominique Hazael-Massieux wrote:

> Le lundi 08 novembre 2010 à 17:00 +0100, Anne van Kesteren a écrit :
>> While we had the meeting everyone in the room sort of agreed that the  
>> safest solution would be to host the test suite on a domain that could not  
>> be made same-origin with using document.domain. And one that would  
>> not share cookies either. Dominique suggested that we could instead try to  
>> avoid such holes by not putting files that allow for XSS on  
>> When I relayed this nobody thought that would be a workable solution.
> (FWIW, I'm making progress internally on setting up a separate domain
> based on Anne's feedback on this)
>> It seems to me the most pragmatic solution here is to use a separate  
>> domain. This avoids the hassle of having to carefully review each file for  
>> XSS exploits and avoids tests having to be rewritten. It also removes the  
>> possibility for an exploit this way which seems like a major win.
>> If people could reiterate their own points from the meeting that might  
>> help.
> I'm particularly interested on more details as to what are the XSS holes
> that look hard or impossible to plug.

I think it is more a matter of expected volume of tests than specific exploits. We expect a thorough test suite for HTML5 will run north of 100,000 tests. Many of the tests will run script, and a number of them will be deliberately probing edge cases of the same-origin security policy. Carefully reviewing all these tests for XSS vulnerability, or for that matter CSRF vulnerability, is probably beyond the means of the working group.


Received on Monday, 8 November 2010 16:21:17 UTC