Re: CSP XML Data with tokens from Devdatta Akhawe on 2011-01-28 (public-web-security@w3.org from January 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 27 Jan 2011 16:30:14 -0800
To: "sird@rckc.at" <sird@rckc.at>
Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTimnAQntvaB+r0Zs2tQERX6osepUMTzU4Fxfxi0X@mail.gmail.com>

sorry I missed the 'HTML encoded content' in your mail.

The idea is that you can do
<tag secret-token>    attacker can put anything he wants </tag secret-token>



On 27 January 2011 16:27, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>
>> <span security="xxxxx">html encoded content</span>
>>
>
> You need the token in the end tag too, otherwise the attacker can do </span>
>
> =devdatta
>
> On 27 January 2011 16:25, sird@rckc.at <sird@rckc.at> wrote:
>> Oh btw, you could also.
>>
>> <span security="xxxxx">html encoded content</span>
>>
>> Or am I missing how this is going to behave being backward compatible?
>>
>> Greetz
>> -- Eduardo
>>
>>
>>
>>
>> On Thu, Jan 27, 2011 at 6:24 PM, sird@rckc.at <sird@rckc.at> wrote:
>>> Hi!
>>>
>>> Just a suggestion, you may prefer to use something like..
>>>
>>> <xmp token="xxx" class="security">content here</xmp>
>>>
>>> Old UAs will ignore that, another option could be to use <noscript>
>>> but that may be weird, and could cause bad consequences.
>>>
>>> Greetings!!
>>> -- Eduardo
>>>
>>>
>>>
>>>
>>> On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>>>
>>>>>> <span security=XXXX>
>>>>>>
>>>>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>>>>>> </span security=XXXX>
>>>>>>
>>>>>
>>>>> Ah but my point is before HTML is rendered the start and end markers should
>>>>> be parsed first. CDATA doesn't matter.
>>>>>
>>>>
>>>> yes, but the point of using XML is that you can use any XML parser and
>>>> not your own parser. You might as well use HTML if you are doing that.
>>>>
>>>> (I am not a big fan of XML -- I am just writing down what I think is
>>>> their point of view).
>>>>
>>>> -devdatta
>>>>
>>>>
>>>>>>
>>>>>> Perhaps a more compatible approach would be:
>>>>>>
>>>>>> <securityXXXX> // With secret token in tag name
>>>>>>  user_content_here
>>>>>> </securityXXXX>
>>>>>>
>>>>>> ...but it's also unlikely to fly with purists.
>>>>>
>>>>> I prefer this maybe with some extra characters that aren't likely to be
>>>>> used:-
>>>>>  <__securityXXXX__> // With secret token in tag name
>>>>>  user_content_here
>>>>> </__securityXXXX__>
>>>>>
>>>>
>>>>
>>>
>>
>

Received on Friday, 28 January 2011 00:31:08 UTC