On 20 January 2011 23:23, Michal Zalewski <lcamtuf@coredump.cx> wrote:
> (This is also the beef I have with selective XSS filters: I don't
> think we can, with any degree of confidence, say that selectively
> nuking legit scripts on a page will not introduce XSS vulnerabilities,
> destroy user data, etc)
>
This would be a good argument for a native sandbox in every browser, if we
can detect an attack (certainly possible) then we can react to it by placing
the browser in a sandbox rather than blocking script/replacing output. The
browser is in the best position to control the content as it's rendering it.
If we know a pattern matches and we know where it occurs then the output can
be sandboxed where the injection occurs. We need a way to sandbox HTML and
JavaScript, web workers would be a nice way to execute JavaScript safely if
they didn't send cookies with requests to import scripts and allowed
deletion of native properties.