- From: Rob Levin <roblevin@hotmail.com>
- Date: Thu, 28 Jul 2011 17:25:02 +0100
Hello, I posted this to the whatwg forums last week, and was advised to post to the mailing list. Here goes. I've been thinking for some time about XSS attacks and ways to mitigate them, and two observations struck me: (1) XSS attacks nearly always occur in the <body> block of a html document, and not the <head> block. This is because the attack surface of the <body> is generally larger than the <head> block, and user-generated content is usually (but not always) placed in the <body> of a document. (2) With the rise of Javascript frameworks like JQuery, it is becoming best practice to separate the code from the content. All legitimate code can be placed in the <head> block without too much effort, for many sites. So I came to the conclusion that adding a simple html mechanism to allow an author to tell a user-agent that scripts should only be executed from the <head> block would give a powerful weapon to authors to prevent XSS exploits. Authors would write their own scripts, include them in their <head> block, and instruct the user-agent that any scripts in the <body> block should be ignored. This would be easy implement on the user-agent side and easy to use on the author side. And it would degrade gracefully in older user-agents. Excited with this idea, I set out to find the right people to contact to get this moving, which eventually led me to WHATWG. I did some research on the mailing list archives, and realised that other people have had my ideas first (many years ago), and are well on the way to implementing them. Oh well, never mind! So I've read about sandboxing on IFrames, and the CSP unofficial draft, and clearly these efforts are solving bigger problems in a more comprehensive way, which largely encompass my ideas. Well done to all involved on these major efforts. But... there are a few things that strike me. Firstly, whatever is done to mitigate XSS should be really really simple to use and understand by authors. I'm not sure that CSP hits the sweet spot between usability and security; I am worried it is going to be too difficult to use for the mass market, and hence fail in part of its mission. For me, the instruction to inform a user-agent that a script should be ignored in the body should look something like: <head> <security request="NoBodyScripts"></security> </head> this would be intuitive to most authors, and would stop an awful lot of attacks. How can I achieve the same effect with CSP? I may have it wrong, but the only way I can see to implement this with CSP would be to do something like: <head> <meta http-equiv="X-Content-Security-Policy" script-nonce="[a strong dynamic random token]"> </head> ...and include this nonce with every script on the page. Secondly, creating and implementing a protocol such as CSP is only part of the story to really eliminate XSS in the wild. The social aspect needs to be thought through. I think the best way to encourage authors to use it would be to show some consistent visual feedback given to users that their site has implemented "Web Security" and that the user-agent is enforcing it. This would then start a virtuous feedback cycle where more sites implement the security, putting pressure on more user-agents to implement it etc. Users are already used to a padlock symbol showing a secure socket connection; a similar common symbol could be recommended to user-agents to display to users when CSP is invoked. This should be part of the spec, in my opinion. thanks, -rob
Received on Thursday, 28 July 2011 09:25:02 UTC