Robert Sayre wrote: > I realize this is a rough cut, but should the XHTML subset include CSS > code? I suspect it should, since CSS can contain URIs.
I'm leaving that out for now. Also, as alluded to by bz, we have anti-sanitization constraints on URIs in CSS that are "just so", which could be relaxed in a data-tainting future architecture. But I'm not ready to add these to the model. We should keep them in mind as important restrictions to enforce in our code, and perhaps to remove in future models. > 1.) Content served with mutual authentication (where the client also > checks the server's creds) should execute with higher privileges. Right! Policy should uphold certain properties, but let's suppose that when you have a non-server-signed cert authenticating the server for an established, stepped-up SSL connection, and you have signed with help from the password manager, the site should be allowed to do certain things we don't let origins do by default. An example would be popping up system notification messages (system tray "toast" on Windows). This is something web apps need to be competitive with desktop apps. Other examples could include freedom from resource quotas of various kinds imposed on random web JS. More thoughts welcome, here or (better, eventually) in the wiki. > 2.) We should create a container element that invokes sanitization code. > Let's call it <livejournal-comment>. > > <livejournal-comment> > do whatever in here, the browser will elide the dangerous stuff > as the content sink receives it... > </livejournal-comment> This has been suggested, I believe there is a bug on file. Can someone find and cite it? > > A lot of great research work has been done over the years... > > bibliography? http://wiki.mozilla.org/index.php?title=Security:Bibliography is under construction. /be _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
