Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

On 22 January 2011 08:29, Gervase Markham <> wrote:

> On 21/01/11 22:44, Michal Zalewski wrote:
>> 3) Allowing inline scripts guarded by policy-specified nonce tokens
>> (<meta>  says "inline-script-token=$random", inline scripts have
>> <script token="$previously_specified_random">...</script>). This
>> eliminates one of the most significant issues with deploying CSP or
>> this proposal on sites that are extremely concerned about the overhead
>> of extra HTTP requests; for example, much of * is subject
>> to such concerns.

Both this and meta tag are vulnerable to any sort of html attribute
injection, this is why I suggested using both a opening and closing
randomized tag. e.g. <meta nothankyou=' would enclose any existing tags
until the next ' and > which would either disable the intended restriction
or even worse allow you to use the key.

Received on Saturday, 22 January 2011 10:34:38 UTC