Comments on: Interoperability and XSS Mitigation http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/ This Must Be the Place (Naive Melody) Thu, 10 Sep 2009 06:17:03 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Arshan Dabirsiaghi http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-5816 Arshan Dabirsiaghi Sun, 06 Jan 2008 15:48:25 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-5816 Wow your comment consumer totally ate my message. I was displaying a "jail" tag that had 2 attributes, a ruleset identifier and a "secret". The ability to customize the ruleset will be an important piece of functionality that must be present for that idea to work. Wow your comment consumer totally ate my message. I was displaying a “jail” tag that had 2 attributes, a ruleset identifier and a “secret”. The ability to customize the ruleset will be an important piece of functionality that must be present for that idea to work.

]]> By: Arshan Dabirsiaghi http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-5815 Arshan Dabirsiaghi Sun, 06 Jan 2008 15:46:26 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-5815 Rob, This is great stuff - you might want to check out the <a href="http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project" rel="nofollow">AntiSamy</a> project. We've already setup the framework and a Java implementation for safely validating rich input/content restrictions according to a policy file dictating what elements, attributes, size, etc. can occur. AntiSamy is definitely separated from the pack in that it also validates CSS. Side note - I'm not in love with the "sandbox header" idea, but I'm always parroting the same line my boss gave me. There's 4 big browsers, hundreds of thousands of companies writing web applications, and millions of developers throughout the world. Where's the easiest place to get stuff done? I like a modification to the jail idea. As long as you're using a secure PRNG, you're in business: attack_that_fails(); The "rules" attribute could point to previously defined set of rules, either globally known or defined in the page like CSS rules. Rob,

This is great stuff – you might want to check out the AntiSamy project. We’ve already setup the framework and a Java implementation for safely validating rich input/content restrictions according to a policy file dictating what elements, attributes, size, etc. can occur. AntiSamy is definitely separated from the pack in that it also validates CSS.

Side note – I’m not in love with the “sandbox header” idea, but I’m always parroting the same line my boss gave me. There’s 4 big browsers, hundreds of thousands of companies writing web applications, and millions of developers throughout the world. Where’s the easiest place to get stuff done?

I like a modification to the jail idea.

As long as you’re using a secure PRNG, you’re in business:

attack_that_fails();

The “rules” attribute could point to previously defined set of rules, either globally known or defined in the page like CSS rules.

]]> By: RSnake http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-3610 RSnake Sun, 09 Sep 2007 21:00:22 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-3610 Hey, Rob - I'm actually the person who came up with the original concept for content restrictions, and later gave the concept to Rafael who gave it to Gerv (they will verify this). I'm told you are working on this now, so please feel free to drop me a line and I can discuss the origins of it (off this thread) and some more details. I told Mike Shaver that I'd get back to him on this, but if you are taking this over, perhaps you'd be better to speak with. Hey, Rob – I’m actually the person who came up with the original concept for content restrictions, and later gave the concept to Rafael who gave it to Gerv (they will verify this). I’m told you are working on this now, so please feel free to drop me a line and I can discuss the origins of it (off this thread) and some more details. I told Mike Shaver that I’d get back to him on this, but if you are taking this over, perhaps you’d be better to speak with.

]]> By: Ezra Cooper http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-3112 Ezra Cooper Fri, 10 Aug 2007 10:34:12 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-3112 Rob--Another similar proposal is <a href="http://www.research.att.com/~trevor/beep.html" rel="nofollow">BEEP</a> by Trevor Jim et al., presented at WWW 07. FWIW. Rob–Another similar proposal is
BEEP by Trevor Jim et al., presented at WWW 07. FWIW.

]]> By: Ian Hickson http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-3105 Ian Hickson Thu, 09 Aug 2007 23:49:55 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-3105 Actually as far as I can tell no browsers are vulnerable to the re-parse bug anymore. (Tested relatively recent versions of Safari, Opera, IE, and Firefox on Windows.) So I'm not sure fixing it would be a Web-compat problem... :-) Actually as far as I can tell no browsers are vulnerable to the re-parse bug anymore. (Tested relatively recent versions of Safari, Opera, IE, and Firefox on Windows.) So I’m not sure fixing it would be a Web-compat problem… :-)

]]> By: Michael http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/comment-page-1/#comment-3076 Michael Tue, 07 Aug 2007 17:21:13 +0000 http://blog.mozilla.com/rob-sayre/2007/08/06/interoperability-and-xss-mitigation/#comment-3076 What about digitally signing the javascript blocks? Do you see any problem with that? Off course, the site would need to use SSL or another specific mechanism. What about digitally signing the javascript blocks? Do you see any problem with that?

Off course, the site would need to use SSL or another specific mechanism.

]]>