Re: XSS mitigation in browsers

> 2) Writing a correct JavaScript program that enforces a reasonable
> security policy is somewhat tricky.  For example, we have a bunch of
> implementation experience with postMessage that shows that folks often
> write incorrect regular expressions when trying to filter messages.
> By using a more declarative policy language with a restricted syntax,
> we make it harder for folks to shoot themselves in the foot.

Declarative approaches are also way easier to audit.

FWIW, Ulfar proposed arbitrarily policing script behavior
While that's an interesting piece of research, I think it's also a
good cautionary tale against offering too much flexibility where it
may be not necessary =)


Received on Thursday, 20 January 2011 00:30:12 UTC