Status: New
Owner: kpreid.switchb.org
CC: erights
Labels: Type-Enhancement Priority-Low Security SES
New issue 1702 by kpreid.switchb.org: Replace
NO_KNOWN_EXPLOIT_SPEC_VIOLATION with application-specific indicators
http://code.google.com/p/google-caja/issues/detail?id=1702
In order to increase compatibility with browsers, we introduced the SES
severity level NO_KNOWN_EXPLOIT_SPEC_VIOLATION (hereafter NKESV). This
level has been described as "a known and potentially unsafe spec violation
[which] does not appear to be exploitable" and "known to introduce an
indirect safety issue which, however, is not known to be exploitable".
My recent work on the Firefox cross-frame freeze bug has led me to the
notion that this is incoherent: "no known exploit" depends on _the use
being made of SES_, not just SES itself.
I therefore propose that we should remove the NKESV severity level
entirely; instead, the interface for SES initialization (currently
consisting of the property ses.maxAcceptableSeverityName) should include a
means to specify which unrepaired problems the application is prepared to
operate in spite of. Caja would then specify such a list which consists of
every problem currently denoted as NKESV.
This means that our choices of problems we are prepared to deal with in
Caja are not directly changes to SES per se, and do not affect the security
of any other users of SES.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
