- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 24 Jan 2011 15:57:32 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
On Mon, Jan 24, 2011 at 1:26 PM, gaz Heyes <gazheyes@gmail.com> wrote: > On 24 January 2011 18:29, Gervase Markham <gerv@mozilla.org> wrote: >> On 24/01/11 05:47, Devdatta Akhawe wrote: >>> I would also add developing policies for common applications like >>> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for >>> BugZilla and it seemed too much work to do it without enabling >>> inline-scripts. > > This is a fantastic idea but please lets think ahead, without sandboxed > areas of the site to mark, policy creation per site will be more difficult. > It isn't going to be that simple to just specify a policy of no external > script or events we need finer control over the content. XSS isn't about > just JavaScript it is about using every feature the browser offers to make a > remote/self referring request. For the record I repeat, using a start marker > is a bad idea you need to control zones/areas of the site use start and end > markers. Finer-grain control is a bit trickier. So far, no browser has finished implementing srcdoc/sandbox/seamless, which is the HTML5 approach to addressing this use case. The another tech-tree that folks are exploring in this space is ECMAScript-based using SES. That's also not quite done yet either. Personally, I'm hopeful that some combination of XBL2 and SES will allow for assembling an HTML document out of mutually distrusting components. Admittedly, it's not a "quick fix", but combining those approaches has a lot of promise. Adam
Received on Monday, 24 January 2011 23:58:36 UTC