- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 28 Jan 2011 22:05:22 +0000
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
Received on Friday, 28 January 2011 22:05:55 UTC
On 28 January 2011 18:42, Brandon Sterne <bsterne@mozilla.com> wrote: > I'm also still trying to wrap my head around your <iframe> and <img> > token-stealing attack on the script-nonce approach. > Hehe maybe my brain is just weird. Ok the iframe waits for the img that's why I use onload then a 10 sec delay, the readKey function basically calls the server side script which receives the result from the img injection. It's passing from the server to the client iframe, then the iframe can inject the xss. > > I still think globally disallowing inline scripts and then letting a > site individually whitelist script blocks with a nonce attribute is a > good way to go. I haven't yet seen good evidence as to why this > approach shouldn't be pursued. > > Definitely just the approach that needs to be slightly modified, using both start and end markers now even if they can't be used fully yet.
Received on Friday, 28 January 2011 22:05:55 UTC