Hello. I wonder if there is any interest in adding some features
to firefox/mozilla for protecting against script injection/cross-site
scripting. Some colleagues and I have a proposal that we have
implemented in several other browsers (Konqueror, Safari, Opera) and
we believe it would be easy to implement in firefox as well. A full
description and research paper are here:
http://www.research.att.com/~trevor/beep.html
Briefly, we modify browsers so that a web site can write a security
policy on what scripts will be allowed to run in the browser. The
policy takes the form of a JavaScript function that is simply embedded
in a web page like any other script. The browser will execute the
policy before executing any other scripts in the page, essentially
consulting the policy on whether to execute the other scripts.
I'm aware that there may be ongoing work to add a different mechanism
to firefox to protect against script injection, the "content
restrictions"
proposal:
http://groups.google.com/group/mozilla.dev.security/browse_frm/
thread/d7a2adf3511cc1f1/90aa822a4fc4921b#90aa822a4fc4921b
In comparison to that proposal, an advantage of our proposal is that
it is very general (the policy provided by the web site can be anything
written in JavaScript) whereas my impression of content restrictions is
that the policies that can be enforced are more baked-in or hard-coded.
Therefore, I hope that our proposal is flexible enough to support policies
and scenarios which may become necessary in the future.
I'd appreciate any feedback.
Regards,
Trevor Jim
AT&T Labs - Research
http://www.research.att.com/~trevor/
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
