Proposed directive for CSP.next: "no-user-js"

As you probably know, browsers have been wrestling with various solutions to the "Self-XSS" issue that has been plaguing social networking sites of late.  If you're not aware, these are the attacks where users are lured into running a malicious JavaScript bookmarklet in their browser.  These attacks have evolved, since browsers have taken several different approaches to neutering the location bar vector, to now leverage other browser functionality such as the JavaScript console.

I propose that we add a new directive, no-user-js, which would cause the user-agent to disable functionality that allows the user to run JavaScript in the context of the page.  This would include the location bar as well as any other place that provides equivalent functionality.  This would NOT affect view-source or any other introspective, or "read-only" functionality.

Bookmarks seem to be a bit of a gray area, since technically users could be duped into creating a malicious bookmarklet and running it, but I tend to favor still allowing bookmarklets since the attack would be quite a bit more obvious, and this is a use case that would piss off lots of people if broken [1].  There is a set of users who we cannot reasonably protect: "run this executable to get neato Farmville upgrades!".  Of course we could leave this up to user-agents to decide how to handle this case.

Does anyone object to this proposal?

Thanks,
Brandon

[1] Mozilla pissed off a huge number of people by turning off javascript: URLs in the location bar.  See the comment thread in https://bugzilla.mozilla.org/show_bug.cgi?id=656433

Received on Wednesday, 14 December 2011 22:09:10 UTC