Re: [Content Security Policy] Proposal to move the debate forward from gaz Heyes on 2011-01-28 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 11:23:38 +0000
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTin24toq0Q9o8UcFp91-s=UrRdssznwfH-qVLDMa@mail.gmail.com>

On 28 January 2011 11:18, Gervase Markham <gerv@mozilla.org> wrote:

> I guess you could defeat this attack by prefixing every script key with the
> string
>
> '"
>
> i.e.
>
> <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>
>
> But I agree that's a bit of a pain to do. We could make it so that the only
> valid script-keys were ones which began "' ... !
>
> Gerv
>

Nope that wouldn't work because <textarea> or similar attacks would continue
parsing until the next </textarea> we'd know which user it was as we have a
lot of the HTML. Maybe you could use CSS based attacks to get round the
quotes too but I've not looked into encoded quotes in CSS and what happens
if a real quote is encountered. Either way I'd still have a start and end
marker

Received on Friday, 28 January 2011 11:24:10 UTC