Re: XSS mitigation in browsers from Giorgio Maone on 2011-01-20 (public-web-security@w3.org from January 2011)

From: Giorgio Maone <g.maone@informaction.com>
Date: Thu, 20 Jan 2011 23:47:13 +0100
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>, Michal Zalewski <lcamtuf@coredump.cx>
Message-ID: <4D38BB71.4040901@informaction.com>

Michal Zalewski wrote, On 20/01/2011 23.01:
> Yes, and FWIW, we are actually pretty unhappy with the limitations of
> X-Frame-Options. I had conversations with David Ross to at the very
> minimum, include a list of permissible embedding origins; he seemed
> receptive.

gaz Heyes wrote, On 20/01/2011 23.11:
> One way would be to automatically look for the existence of a CSP file in 
> the root of the server, I know it's bad that the browser makes a extra http 
> request but that way the dev only needs to create a policy file on the server.

(Slightly) off-topic, ABE combines anti-CSRF and embedding control in a 
declarative policy file requested once per session (or according to caching 
directives) at the HTTPS root of the file:

http://noscript.net/abe

-- G

gaz Heyes wrote, On 20/01/2011 23.11:
> On 20 January 2011 21:47, Brandon Sterne <bsterne@mozilla.com 
> <mailto:bsterne@mozilla.com>> wrote:
>
>     I don't think the use of HTML tags instead of HTTP headers is
>     well-justified.  The obvious drawback to using <meta> tags is that the
>     whole model can be subverted by an attacker who manages to inject his
>     attack code or bogus policy tag above the site's legitimate policy tag.
>      Mozilla considered the use of <meta> tags as an alternative to the
>     header, but we ultimately decided that the risk outlined above outweighs
>     the usability gained by allowing the policy to be expressed as a tag.
>
>
> I sort of agree with this even though I suggested a link tag however the 
> average dev won't use HTTP headers! They will be to complex to configure and 
> nobody will apply the rules correctly or even know which rules they should 
> be using. One way would be to automatically look for the existence of a CSP 
> file in the root of the server, I know it's bad that the browser makes a 
> extra http request but that way the dev only needs to create a policy file 
> on the server. I think we should have policy files that mimic CSS syntax and 
> even provide W3c validation, devs are obsessed with validating their HTML 
> they even place images saying that the site is validated and it is a 
> requirement for some companies to have a correctly formed site, if the site 
> doesn't validate because it doesn't have a correct security policy then devs 
> will be forced to make one. We can force security on them :)

Received on Thursday, 20 January 2011 22:51:29 UTC