Re: More on XSS mitigation (was Re: XSS mitigation in browsers) from Adam Barth on 2011-01-22 (public-web-security@w3.org from January 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 21 Jan 2011 17:35:55 -0800
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: public-web-security@w3.org
Message-ID: <AANLkTimzfHApAeMPakL2oR+LjHCcgU7dVOSEsxZBNbY8@mail.gmail.com>

On Fri, Jan 21, 2011 at 5:19 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> The reason we're here having this discussion is because we'd like to
>> come to an agreement about what to do.
>
> I wonder if the vendors can settle it, though?

That's what we're doing.  We're doing it in public because we believe
in open standards for an open web.

> Arguments both ways
> make sense, and are somewhat comparable in terms of their
> significance, which can make this difficult. I don't want to get ahead
> of the debate, though, so maybe let's leave it at that :-)
>
>> Thinking along those lines, what do you think of the following mechanism:
>> <meta name="no-more-script">
>> After this element is added to the DOM, the user agent refuses to
>> compile any more script.  Period.  Full stop.
>
> That's probably not bad, and pretty flexible in function of its
> simplicity. It's a bit trickier to fit plugins into that model.
>
> It takes away the ability to use HTTP header policies for sandboxing
> same-origin user HTML, which is a possible if unintended use of CSP.
> We probably don't care, though.
>
> The one substantial roadblock to embracing this or any other approach
> that limits inline scripting later on in document body is dealing with
> event handlers for UI interaction. Manually attaching several hundred
> of them to document elements from JS code looks like a very major
> PITA.
>
> With no-more-script approach specifically, you actually need to
> register an onload handler or a 1 ms timeout, or else you won't be
> able to look the relevant elements at the time your JS first executes.
> I wonder how to lessen this pain. I suspect offering some options here
> would be essential to any successful proposal. No idea how to do it
> cleanly, though.

I worried about that originally too.  However, that turns out not to
be that big an issue if you use something like jQuery's "live"
feature:

http://api.jquery.com/live/

It's actually way more elegant than manually including inline event
handlers in the first place.

Adam

Received on Saturday, 22 January 2011 01:37:00 UTC