[EMAIL PROTECTED] wrote:
...if we keep wasting time patching an unsound system, we will die the death of a thousand cuts. We need to specify the system and then move our code to match the spec.
Agree.
So I thought to write down some kind of semi-formal set of definitions and rules, from which inductive or other proofs could be done. This is hard, and it wants to turn into some kind of operational semantics. The first rough cut is at http://wiki.mozilla.org/Security:Strawman_Model. Comments and questions welcome.
I realize this is a rough cut, but should the XHTML subset include CSS code? I suspect it should, since CSS can contain URIs.
<http://www.feedparser.org/docs/html-sanitization.html#advanced.sanitization.why>
We clearly need more degrees of sandboxing than "runs as you" and "runs as a crippled mid-90s web app's window-bound JS".
I might be jumping ahead to the fun stuff, but I think can see a useful degree above and below crippled mid-90s webapps.
1.) Content served with mutual authentication (where the client also checks the server's creds) should execute with higher privileges.
2.) We should create a container element that invokes sanitization code. Let's call it <livejournal-comment>.
<livejournal-comment> do whatever in here, the browser will elide the dangerous stuff as the content sink receives it... </livejournal-comment>
A lot of great research work has been done over the years...
bibliography? thanks, Rob _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
