- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 30 Jan 2011 11:31:15 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Giorgio Maone <g.maone@informaction.com>, Adam Barth <w3c@adambarth.com>, Gareth Heyes <gazheyes@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Anyways, there's not need to argue about this.. you can actually > create a javascript snippet of code that automatically transforms all > occurrences of: > > <sandbox start="$nonce"> > $user_content > <sandbox end="$nonce"> Well, that's not backward compatible, dependent on JS, and given the limitations of sandboxed frames, just slow. I think the only realistic way we can eventually have this is to have a method for delivering DOM tree directly to the browser, without the need to parse it on every client (which, if you come think about it, is a remarkable waste of CPU resources); this would give a lot more freedom to simple web frameworks to tackle XSS. It's not entirely outlandish, too - after all, we have SPDY to do roughly the same for HTTP. /mz
Received on Sunday, 30 January 2011 19:32:09 UTC