On Thu, Sep 8, 2016 at 1:28 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Sep 8, 2016 at 1:16 PM, Artur Janc <aaj@google.com> wrote: > > An attacker with an XSS can set any cookie they want to make the > exfiltrated > > data visible across the whole top-level domain, so they're not bound by > > flags on any existing cookies. > > That depends on whether or not we offer ways to restrict cookie APIs. > (I think there's a proposal for that somewhere.) > > > > I'm not saying that preventing exfiltration is a priori bad or > impossible. > > However, it's something that we're nowhere near solving, and even if it's > > solved it will not make cross-site scripting much less of a concern for > most > > applications. Compare this to the goal of preventing malicious script > > execution in the first place, which we're close to achieving with nonces > + > > trust propagation with 'strict-dynamic' (at least for most classes of XSS > > that we currently see). > > > > If we can improve the situation there (e.g. give developers more powerful > > features to execute trusted scripts while disallowing injected ones) then > > we're simultaneously solving the exfiltration issue because an attacker > > without script execution cannot easily extract the data from the DOM in > the > > first place. And on top of it, we're addressing the other current risks > of > > XSS, such as persistent access to the compromised origin, and so on. I > think > > it's a powerful signal that we should be focusing efforts on that area. > > That's what I meant earlier. If we can provide better ways of stopping unwanted script from executing, then the exfiltration is less of an issue. I think the strict-dynamic approach can provide better security in that sense. Still, the syntax issue needs to be discussed. As in our precious email discussion, I think TPAC is probably a good venue, where all the people interested are sitting on one table. > Fair. > > > -- > https://annevankesteren.nl/ >
Received on Thursday, 8 September 2016 12:09:43 UTC