- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 05 Mar 2012 11:13:19 -0800
- To: David Bruant <bruant.d@gmail.com>
- CC: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/1/12 1:10 AM, David Bruant wrote: > This limitation of "2 levels of trust" is exactly what got us > screwed in web security in the first place. The "if you trust, it > can do anything you can do" case is what allows XSS to be successful. Most XSS comes from programming mistakes in trusted content. Dividing trust into finer levels doesn't really help with that problem. > As an example, the different combinations of the script-src > directive are as many different levels of trust. You load a document > and decide to trust: > 1) no script at all > 2) some scripts sources (list declared in the directive) > 3) some scripts sources without unsafe evals > 4) no inline scripts There are still only two levels -- sources you trust completely and sources you don't. And if you allow inline-script and eval() you probably aren't preventing any XSS attacks because the attacker-injected content is indistinguishable from a source you trust. Getting from where the ad hoc creation of the web has left us to a safer future isn't going to be easy. CSP's baby steps toward forcing authors to separate script and content are only a start. -Dan Veditz
Received on Monday, 5 March 2012 19:14:03 UTC