Re: XSS mitigation in browsers from gaz Heyes on 2011-01-20 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 20 Jan 2011 09:24:29 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
Message-ID: <AANLkTinaaLaoteiOr0S-GYQC0Q9CdF8xn6J9s7ZgZ_XD@mail.gmail.com>

On 19 January 2011 22:42, Adam Barth <w3c@adambarth.com> wrote:

> As I'm sure many of you are aware, various folks from Mozilla have
> proposed Content Security Policies
> <https://wiki.mozilla.org/Security/CSP> as a way of improving the
> security of web pages by including a security policy.  I'm interested
> two aspects of CSP:
>

 A while ago I had the idea of using zones protected by a randomized token:-
<http://www.thespanner.co.uk/2010/09/24/xss-zones/>

You use a randomized zone to protect a section of the site, the problem is
it would require browser support and the server to generate a random key.

An alternative idea would be to use a security policy like a CSS file, since
webdevs are already used to this. Something like:-

<link href="http://hackvertor.co.uk/policy.csp" rel="policy"
type="text/policy" />

So by default the browser denies everything (forms, events, script etc) then
the policy dictates which elements are allowed and which urls (
http://hackvertor.co.uk/policy.csp):-
script {
  src:url(https://chart.googleapis.com) url(http://chart.googleapis.com);
  inline: false;
}

You can be specific like:-
#emailContent {
  javascript:false;
  forms: false;
  img: true;
}

This way we could reuse the CSS parsing that already exists but the policy
files would obviously have to be much stricter in what they allow.

Received on Thursday, 20 January 2011 09:25:01 UTC