W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: In-browser sanitization first, "Safe Node" later?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 8 Feb 2016 12:27:05 -0800
Message-ID: <CAPfop_2iiCASBguKYGx+dcETzaP1uS_He6b4dC7Q23iP_MdUCw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Chris Palmer <palmer@google.com>, Craig Francis <craig.francis@gmail.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> FWIW, the vast majority of XSSes that we see have to do with the
> failure to consistently call existing APIs for everything that needs
> scrubbing / sanitization. It's not a scientific number, but I'd say
> it's in the ballpark of 95%.
> That's why I'm a lot more inclined to believe that flexible
> containment solutions - such as Safe Node, suborigins, or some of the
> more recent evolutions of CSP - have more promise. Doubly so when they
> can be retrofitted cleanly and easily into existing software.

+1 to both these points.

Received on Monday, 8 February 2016 20:27:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC