Re: Call for Feedback: Fighting XSS with Isolated Scripts from Bil Corry on 2017-01-26 (public-web-security@w3.org from January 2017)

From: Bil Corry <bil@corry.biz>
Date: Thu, 26 Jan 2017 10:45:55 -0700
To: Eduardo Vela <sirdarckcat@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CACdphr6ZusTB8_iQWk4sbNjoYA1w=4JmRnvcLzNDAxwGt=y22A@mail.gmail.com>

On Thu, Jan 26, 2017 at 12:57 AM, Eduardo Vela <sirdarckcat@gmail.com>
wrote:

> In case any of you is interested in XSS mitigations, here's a short
> proposal of a somewhat new type of XSS mitigation:
>    http://sirdarckcat.blogspot.com/2017/01/fighting-xss-with-
> isolated-scripts.html
>
>
Hi Eduardo,

Just to clarify, this doesn't actually prevent malicious JavaScript from
running, it just isolates trusted content from it?  So the XSS can still do
drive-by downloads, execute buffer overflows, modify some parts of the DOM
for fake log in prompts, etc?

I played with the demo and that seems to be the case, but wanted to make
sure I understood the problem that this is solving.

Thanks,

- Bil

Received on Thursday, 26 January 2017 17:46:29 UTC