- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 22 Jan 2011 02:50:59 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
> Both this and meta tag are vulnerable to any sort of html attribute
> injection
All approaches do not do a lot to prevent attackers from injecting JS
into JS due to insufficient escaping of dynamically inserted
variables, so I'm not sure this changes the picture appreciably?
I.e., it does not matter if you have
http://allowed_origin/dynamic_js_script.js with:
var username = '$incorrectly_escaped_username';
...versus:
<span onclick="do_something('$incorrectly_escaped_username')">
Signing inline scripts is slightly more robust, but ultimately also
futile against these attacks, as web frameworks will likely move to
indiscriminately auto-sign any generated text.
About the only way to fix JS-in-JS injection is sending JS as
generated VM bytecode, rather than serialized text, probably...
/mz
Received on Saturday, 22 January 2011 10:51:54 UTC