On Mon, 30 Jan 2006 21:21:13 +0600, Gervase Markham <[EMAIL PROTECTED]>
wrote:
It's specifically targeted at keeping decent security in older browsers.
User agents that don't support sandboxing won't execute the scripts at
all.
What problem are you trying to solve with this proposal? I'm not sure
it's the same one that I am. You are trying to solve the problem of
letting LiveJournal authors include certain types of "safe" script on
their page, when currently they aren't allowed to include any.
I'm trying to solve the problem of protecting users from XSS attacks
when there are unexpected bugs in an author's web application.
Well, now I see. Really, for this use case your proposal seems reasonable,
but because my proposed <sandbox> element covers both use cases (allowing
limited scripting in user-supplied content, and protection against XSS
bugs as a second line of defense), the content restrictions specified by a
HTTP header may be a duplication. If <sandbox> ends up in the spec, then
the header needs not.
And anyway, I don't think it's a serious security problem, because it
already has a solution - filter out <script> altogether. I've not come
across a compelling use case which says that blogs and wikis need to
allow people to insert certain sorts of script into the blogpost or wiki
page.
http://www.livejournal.com/support/faqbrowse.bml?faqid=14
They clearly state that they would like to allow scripts, but they don't
know how to do it safely.
I think it's not just a problem of this particular site.
--
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <[EMAIL PROTECTED]>
