W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2010

[whatwg] idea about html code security anti xss

From: Arun Ranganathan <arun@mozilla.com>
Date: Tue, 15 Jun 2010 18:29:50 -0700
Message-ID: <4C18290E.1070708@mozilla.com>
On 6/15/10 6:19 PM, gabmeyer at westweb.at wrote:
> Hello,
>
> I had just this idea after reading so much about xss and code injection.
>
> I think there is a simple solution:
>
> 1.)
> I now invent an attribute called strlen=""
>
> I append this to a<div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
>
> The browser know knows the exact position where the divtag must end.
>
> You cannot inject some code that closes the tag before.
>
> 2.)
> you can now control the code inside the div.
> you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.
>
>
> Maybe this idea is not new, or does not work.
>
> Please let me know what you think about this idea.
>
> Christian Gabmeyer
>
>    

I think one approach that we're interested in pursuing at Mozilla is the 
Content Security Policy approach:

https://wiki.mozilla.org/Security/CSP/Specification

In particular, restrictions on inline scripts, or at least on 'eval' 
might be useful here, along with other mitigation on loading cross-site 
content.

We'd like this in the Firefox 4 timeframe.

-- A*
>
>
>
>    
Received on Tuesday, 15 June 2010 18:29:50 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC