Re: Call for Feedback: Fighting XSS with Isolated Scripts

Hi Bil

Yep, that's correct.

On Thu, Jan 26, 2017 at 6:47 PM Bil Corry <bil@corry.biz> wrote:

> On Thu, Jan 26, 2017 at 12:57 AM, Eduardo Vela <sirdarckcat@gmail.com>
> wrote:
>
> In case any of you is interested in XSS mitigations, here's a short
> proposal of a somewhat new type of XSS mitigation:
>
> http://sirdarckcat.blogspot.com/2017/01/fighting-xss-with-isolated-scripts.html
>
>
> Hi Eduardo,
>
> Just to clarify, this doesn't actually prevent malicious JavaScript from
> running, it just isolates trusted content from it?  So the XSS can still do
> drive-by downloads, execute buffer overflows, modify some parts of the DOM
> for fake log in prompts, etc?
>
> I played with the demo and that seems to be the case, but wanted to make
> sure I understood the problem that this is solving.
>
> Thanks,
>
> - Bil
>
>

Received on Thursday, 26 January 2017 17:50:18 UTC