Re: CSP XML Data with tokens from sird@rckc.at on 2011-01-28 (public-web-security@w3.org from January 2011)

From: <sird@rckc.at>
Date: Thu, 27 Jan 2011 19:15:15 -0600
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTik0r4qUsjLb1i3yzj2kUUY0z_3gzAMiKoGXQ4Zj@mail.gmail.com>

Right, but that won't work on old browsers right?

If you entify the content, it's backwards compatible.

On the other hand.. We already have iframe@sandbox+srcdoc which makes
this kinda useless :)

Greetings!!
-- Eduardo




On Thu, Jan 27, 2011 at 6:30 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> sorry I missed the 'HTML encoded content' in your mail.
>
> The idea is that you can do
> <tag secret-token>    attacker can put anything he wants </tag secret-token>
>
>
>
> On 27 January 2011 16:27, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>
>>> <span security="xxxxx">html encoded content</span>
>>>
>>
>> You need the token in the end tag too, otherwise the attacker can do </span>
>>
>> =devdatta
>>
>> On 27 January 2011 16:25, sird@rckc.at <sird@rckc.at> wrote:
>>> Oh btw, you could also.
>>>
>>> <span security="xxxxx">html encoded content</span>
>>>
>>> Or am I missing how this is going to behave being backward compatible?
>>>
>>> Greetz
>>> -- Eduardo
>>>
>>>
>>>
>>>
>>> On Thu, Jan 27, 2011 at 6:24 PM, sird@rckc.at <sird@rckc.at> wrote:
>>>> Hi!
>>>>
>>>> Just a suggestion, you may prefer to use something like..
>>>>
>>>> <xmp token="xxx" class="security">content here</xmp>
>>>>
>>>> Old UAs will ignore that, another option could be to use <noscript>
>>>> but that may be weird, and could cause bad consequences.
>>>>
>>>> Greetings!!
>>>> -- Eduardo
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>>>>
>>>>>>> <span security=XXXX>
>>>>>>>
>>>>>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>>>>>>> </span security=XXXX>
>>>>>>>
>>>>>>
>>>>>> Ah but my point is before HTML is rendered the start and end markers should
>>>>>> be parsed first. CDATA doesn't matter.
>>>>>>
>>>>>
>>>>> yes, but the point of using XML is that you can use any XML parser and
>>>>> not your own parser. You might as well use HTML if you are doing that.
>>>>>
>>>>> (I am not a big fan of XML -- I am just writing down what I think is
>>>>> their point of view).
>>>>>
>>>>> -devdatta
>>>>>
>>>>>
>>>>>>>
>>>>>>> Perhaps a more compatible approach would be:
>>>>>>>
>>>>>>> <securityXXXX> // With secret token in tag name
>>>>>>>  user_content_here
>>>>>>> </securityXXXX>
>>>>>>>
>>>>>>> ...but it's also unlikely to fly with purists.
>>>>>>
>>>>>> I prefer this maybe with some extra characters that aren't likely to be
>>>>>> used:-
>>>>>>  <__securityXXXX__> // With secret token in tag name
>>>>>>  user_content_here
>>>>>> </__securityXXXX__>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Received on Friday, 28 January 2011 01:16:07 UTC