Re: Call for Feedback: Fighting XSS with Isolated Scripts from Eduardo' Vela\ on 2017-01-26 (public-web-security@w3.org from January 2017)

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 26 Jan 2017 17:49:32 +0000
To: Bil Corry <bil@corry.biz>, Eduardo Vela <sirdarckcat@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAFswPa9rqCwG2TZj4GgXr4bvnVG2+FMtYrhM+OqVGEbP2YPphw@mail.gmail.com>

Hi Bil

Yep, that's correct.

On Thu, Jan 26, 2017 at 6:47 PM Bil Corry <bil@corry.biz> wrote:

> On Thu, Jan 26, 2017 at 12:57 AM, Eduardo Vela <sirdarckcat@gmail.com>
> wrote:
>
> In case any of you is interested in XSS mitigations, here's a short
> proposal of a somewhat new type of XSS mitigation:
>
> http://sirdarckcat.blogspot.com/2017/01/fighting-xss-with-isolated-scripts.html
>
>
> Hi Eduardo,
>
> Just to clarify, this doesn't actually prevent malicious JavaScript from
> running, it just isolates trusted content from it?  So the XSS can still do
> drive-by downloads, execute buffer overflows, modify some parts of the DOM
> for fake log in prompts, etc?
>
> I played with the demo and that seems to be the case, but wanted to make
> sure I understood the problem that this is solving.
>
> Thanks,
>
> - Bil
>
>

Received on Thursday, 26 January 2017 17:50:18 UTC