Cross Site Attacks from Sigbjørn Vik on 2009-12-07 (public-web-security@w3.org from December 2009)

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Mon, 07 Dec 2009 11:05:01 +0100
To: public-web-security@w3.org
Message-ID: <op.u4kbmnea41y844@id-c0735.oslo.opera.com>

I made a new page on the wiki, for detailing the various cross site  
attacks we see, http://www.w3.org/Security/wiki/Cross_Site_Attacks, feel  
free to expand.

I'd like to see a unified apporach to Web security, where a server  
administrator can do a single change to protect the entire server against  
a range of attacks, and page authors don't need to worry about them. The  
page makes the need for a unified approach clear, as of today servers need  
to protect themselves with Origin, CSP, STS, X-Frame-Options,  
Framebusting, Sanitization and more, much of it on every single page. A  
single HTTP header with e.g. a link to a resource file would be easier to  
maintain, save bandwidth, and be extensible for future needs. As is clear  
by e.g. CSP, user agents might need protection against differing attacks,  
a unified solution can also make it easy to allow user agent specific  
instructions.

-- 
Sigbjørn Vik
Quality Assurance
Opera Software

Received on Monday, 7 December 2009 10:05:42 UTC