Adam Barth wrote:
I've taken the liberty of sketching out a straw-man XSSModule for CSP
on the Mozilla wiki:
https://wiki.mozilla.org/Security/CSP/XSSModule
I welcome your feedback,
Adam
Hi Adam,
I'm not sure if hacking at the straw man should occur on the list or on
the wiki. Please let me know if it should go to the wiki.
Threat Model:
"We further assume the web developer wishes to prevent the attacker from
achieving any of the following goals:
* The attacker must not learn the contents of the target web site's
cookies."
A broader definition than cookie stealing that also covers integrity
issues like defacement could be:
* The attacker's sequence of injected bytes are interpreted as one or
more script instructions and executed with the privileges of the
(CSP-protected) document.
If the purpose of the threat model is to scope out the protections
afforded by the module, then the following may be more appropriate:
* The attacker's sequence of injected bytes are interpreted as an
inline script (i.e., <script> element without |src| attribute, script
element attribute, javascript: URI, dynamic CSS, etc.)
* The attacker's sequence of injected bytes are interpreted as a
reference to external script, where the external script is located at a
different origin to the document protected by CSP
* The attacker's sequence of injected bytes are compiled as a result
of executing an allowed script (e.g., via eval(), setTimeout(),
setInterval(), or Function constructor)
block-xss directive:
The effects of this directive are given in a default-allow style, which
could lead to gaps in protection. (Some possible gaps are commented on
in the Open Issues section.) Could the effects of block-xss be
specified as exceptions to a default-deny policy?
Open Issues section:
IE's CSS behaviors and expressions could fit in the same category as XBL
bindings, as they are non-standard features that can be used as XSS vectors
Mike
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
