Re: HTML interpreter vs. HTML user agent

On May 31, 2009, at 12:25 AM, Adam Barth wrote:

> On Fri, May 29, 2009 at 4:58 AM, Sam Ruby <rubys@intertwingly.net>  
> wrote:
>> http://status.aws.amazon.com/rss/EC2API.rss
>
> Based on implementation feedback from Rob and Boris, I've left the
> current behavior of not sniffing feeds from text/plain.  I'm not
> entirely sure whether or not we'll need to sniff feeds from
> text/plain.  Firefox 3.5 should give us more information on this
> point.
>
> If we do end up sniffing feeds from text/plain, Maciej's suggestion of
> not granting feeds the authority of their origin seems workable.  In
> fact, we might be required to do this anyway because many sites are
> vulnerable to cross-site scripting if we granted feeds the authority
> of their origin.


I don't think I made a specific suggestion. But here's some info on  
how Safari treats feeds:

1) We turn a feed  into a generated HTML document for display.
2) We can also display a user-selected collection of feeds as one  
document, again displayed as HTML.
3) We don't execute any script that came from the feed in the context  
of generated HTML document. At the very least due to point #2 this  
would be insecure.
4) We don't let any web page access the contents of the generated HTML  
document via script.

I think this prevents feeds from being used as an XSS attack vector in  
Safari, whether or not they are sniffed from text/plain.

Regards,
Maciej

Received on Sunday, 31 May 2009 08:44:21 UTC