- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 1 Mar 2012 01:13:28 -0800
- To: David Bruant <bruant.d@gmail.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Mar 1, 2012 at 1:10 AM, David Bruant <bruant.d@gmail.com> wrote: > Le 29/02/2012 23:04, Adam Barth a écrit : >> I'm sorry, but the platform cannot current support your use case. >> There are only two levels of trust in the platform: either you trust a >> document or you don't. If you trust the document, then it can do >> anything that you can do. If you don't trust it, then you're fully >> isolated from it and can communicate with it using postMessage, etc. > > This limitation of "2 levels of trust" is exactly what got us screwed in web > security in the first place. The "if you trust, it can do anything you can > do" case is what allows XSS to be successful. > "2 levels of trust" is what should be addressed. And it is. This is > *exactly* the very reason CSP is being invented: CSP allows finer > granularity to declare for one document what we trust and what we do not > trust. > > As an example, the different combinations of the script-src directive are as > many different levels of trust. You load a document and decide to trust: > 1) no script at all > 2) some scripts sources (list declared in the directive) > 3) some scripts sources without unsafe evals > 4) no inline scripts > 5) some scripts, but with reduced connectivity capabilities (connect-src > directive) > > These reflect different levels of trusts in the document you load (it's not > an exhaustive list). > > I would be fine with arguments saying that the directive I propose is of the > wrong granularity, a bad idea because doesn't protect from what I want it to > protect, or because the attack I'm describing is too marginal. > But "the platform cannot current support your use case, There are only two > levels of trust in the platform" does not seem to be a valid argument. I'm just saying that I don't know of a way to implement what you propose. If you're interested, you should try hacking up a copy of Firefox or WebKit to build a prototype of your idea. Adam
Received on Thursday, 1 March 2012 09:14:33 UTC