Closed
Bug 301375
(xss)
Opened 19 years ago
Closed 8 years ago
[meta] Ideas for mitigating XSS holes in web sites
Categories
(Core Graveyard :: Tracking, enhancement)
Core Graveyard
Tracking
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: jruderman, Unassigned)
References
(Depends on 2 open bugs, Blocks 1 open bug)
Details
(Keywords: meta, sec-want, Whiteboard: [sg:want])
Comment 1•19 years ago
|
||
*** Bug 312964 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•19 years ago
|
Alias: xss
Updated•19 years ago
|
Group: security
Updated•19 years ago
|
Group: security
Depends on: 324253
Updated•18 years ago
|
Whiteboard: [sg:want]
Comment 2•18 years ago
|
||
Ok, here's an idea. The problems of XSS, imho, are due to lack of separation in HTML btw metadata (incl. scripts) and data. The idea I'll present here will require some support from the server side, to help separate between metadata and data; however, the change is small enough, and the problem important enough, to make this reasonable, I think. Also I believe the method can be extended to provide (limited) client-only defense as well, but I won't cover this in this note to keep its length bearable. Specifically, I suggest sites use special markup to define permitted and forbidden areas, for different kinds of markup. This could take multiple forms, and careful evaluation should determine best forms, but let me give just two examples to make the idea concrete: <NoScript id=xxx>here goes HTML without any scripts, in either <script>(an ignored script)</script> or attributes (e.g. <a href=xx onsubmit="ignored"> </NoSrcipt id=xxx> <!-- notice use of random id attribute, matched between beginning and end NoScript tags, to avoid fake end NoScript by malicious markup--> <MarkupValidationOn id=xxx> rest of HTML document where _all_ tags are ignored, unless they contain the validating identifier, e.g. <Img src='webbugger.com'> is ignored while <img src='cow' id=xxx> is applied. I am thinking of prototyping something along these lines, so comments are most appreciated...
Reporter | ||
Updated•16 years ago
|
Depends on: CVE-2008-5510
Reporter | ||
Updated•14 years ago
|
Depends on: CVE-2010-1210
Reporter | ||
Updated•12 years ago
|
Depends on: CVE-2012-1965
Comment 3•8 years ago
|
||
Marking all tracking bugs which haven't been updated since 2014 as INCOMPLETE. If this bug is still relevant, please reopen it and move it into a bugzilla component related to the work being tracked. The Core: Tracking component will no longer be used.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•