W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Proposal: Write-only submittable form-associated controls.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 15 Oct 2014 08:16:03 -0700
Message-ID: <CALx_OUBHtr00HgAF+UUF+Xw2qdumoyFOOgi=0tzg6Co33eg3sg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
> Fair enough - although I worry that the likelihood of people using
> this in conjunction with tightly-scoped per-document CSP (versus the
> far more likely scenario of just having a minimal XSS-preventing
> site-wide or app-wide policy that will definitely not mitigate #3 and
> probably do nothing for #1) are pretty slim.

In fact, the XSS-preventing part is probably a stretch. Facebook and
Twitter are often mentioned as the two most significant customers for
CSP, but both use unsafe-inline and unsafe-eval.

On top of that, note that #3 is not defeated by origin-scoped rules -
you need to specify full paths.

Honestly, if we're creating a mechanism that implies that a degree of
protection is provided for password fields, we should either make it
work on its own, *or* at the very minimum require a CSP with
form-action specified, and otherwise warn or better yet, break fields
flagged as writeonly.

/mz
Received on Wednesday, 15 October 2014 15:16:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC