Bug 301375 (xss)

[meta] Ideas for mitigating XSS holes in web sites

RESOLVED INCOMPLETE

Status

enhancement
RESOLVED INCOMPLETE
14 years ago
2 months ago

People

(Reporter: jruderman, Unassigned)

Tracking

(Depends on 8 bugs, Blocks 1 bug, {meta, sec-want})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want])

(Reporter)

Description

14 years ago
 

Comment 1

14 years ago
*** Bug 312964 has been marked as a duplicate of this bug. ***
(Reporter)

Updated

14 years ago
Depends on: 321815
(Reporter)

Updated

14 years ago
Blocks: csrf
(Reporter)

Updated

14 years ago
Alias: xss
Group: security
Group: security
(Reporter)

Updated

13 years ago
Depends on: 296871
(Reporter)

Updated

13 years ago
Depends on: 326506
(Reporter)

Updated

13 years ago
Depends on: 332016
Whiteboard: [sg:want]
(Reporter)

Updated

13 years ago
No longer depends on: 296871
(Reporter)

Updated

13 years ago
Depends on: 359675

Comment 2

13 years ago
Ok, here's an idea. The problems of XSS, imho, are due to lack of separation in HTML btw metadata (incl. scripts) and data. The idea I'll present here will require some support from the server side, to help separate between metadata and data; however, the change is small enough, and the problem important enough, to make this reasonable, I think. Also I believe the method can be extended to provide (limited) client-only defense as well, but I won't cover this in this note to keep its length bearable. 

Specifically, I suggest sites use special markup to define permitted and forbidden areas, for different kinds of markup. This could take multiple forms, and careful evaluation should determine best forms, but let me give just two examples to make the idea concrete:

<NoScript id=xxx>here goes HTML without any scripts, in either <script>(an ignored script)</script> or attributes (e.g. <a href=xx onsubmit="ignored"> </NoSrcipt id=xxx> <!-- notice use of random id attribute, matched between beginning and end NoScript tags, to avoid fake end NoScript by malicious markup-->

<MarkupValidationOn id=xxx> rest of HTML document where _all_ tags are ignored, unless they contain the validating identifier, e.g. <Img src='webbugger.com'> is ignored while <img src='cow' id=xxx> is applied. 

I am thinking of prototyping something along these lines, so comments are most appreciated... 

Updated

13 years ago
Depends on: 361915

Updated

13 years ago
Depends on: 362235

Updated

13 years ago
Depends on: 362250

Updated

13 years ago
Depends on: 362259
(Reporter)

Updated

13 years ago
Depends on: 55137
(Reporter)

Updated

12 years ago
Depends on: jarxss

Updated

12 years ago
Blocks: 373140

Updated

12 years ago
No longer blocks: 373140
(Reporter)

Updated

12 years ago
Depends on: 350830
(Reporter)

Updated

12 years ago
Depends on: 376844
(Reporter)

Updated

12 years ago
Depends on: PR07-01

Updated

12 years ago
Depends on: 376899
(Reporter)

Updated

12 years ago
Depends on: 381412
(Reporter)

Updated

12 years ago
Depends on: 390910
Depends on: 392459
(Reporter)

Updated

12 years ago
Depends on: 305873
(Reporter)

Updated

12 years ago
Depends on: 394534
(Reporter)

Updated

12 years ago
Depends on: 395597
(Reporter)

Updated

12 years ago
Depends on: 404252
(Reporter)

Updated

12 years ago
Depends on: 406777

Updated

12 years ago
Depends on: 269116, 287990
Depends on: 414064
(Reporter)

Updated

11 years ago
Depends on: CVE-2008-5510

Updated

11 years ago
Depends on: 423389
Depends on: 352437
(Reporter)

Updated

11 years ago
Depends on: 441876
(Reporter)

Updated

11 years ago
Depends on: 443177
Depends on: 443345
(Reporter)

Updated

11 years ago
Depends on: 443564
(Reporter)

Updated

11 years ago
Depends on: 444222
Depends on: 430740
(Reporter)

Updated

11 years ago
Depends on: 446112
No longer depends on: 446112
Depends on: 446112
(Reporter)

Updated

11 years ago
Depends on: 448166
(Reporter)

Updated

11 years ago
Depends on: 450981
(Reporter)

Updated

11 years ago
Depends on: 463948

Updated

10 years ago
Depends on: 489704
(Reporter)

Updated

10 years ago
Depends on: 503789
(Reporter)

Updated

10 years ago
Depends on: 510868
(Reporter)

Updated

10 years ago
Depends on: 503632
(Reporter)

Updated

10 years ago
Depends on: 502047
(Reporter)

Updated

10 years ago
Depends on: xssfilter
(Reporter)

Updated

10 years ago
Depends on: 530308
(Reporter)

Updated

9 years ago
Depends on: CSP
(Reporter)

Updated

9 years ago
Depends on: 557420
(Reporter)

Updated

9 years ago
Depends on: 560927
(Reporter)

Updated

9 years ago
Depends on: CVE-2010-1210
(Reporter)

Updated

9 years ago
Depends on: 564706
(Reporter)

Updated

9 years ago
Depends on: 574485
(Reporter)

Updated

8 years ago
Depends on: 641148
(Reporter)

Updated

7 years ago
Depends on: CVE-2012-1965
Depends on: 759382

Updated

7 years ago
Depends on: 779406
(Reporter)

Updated

6 years ago
Depends on: 475216
Depends on: 867380

Updated

6 years ago
Blocks: 876280
(Reporter)

Updated

5 years ago
Depends on: mXSS

Comment 3

3 years ago
Marking all tracking bugs which haven't been updated since 2014 as INCOMPLETE.
If this bug is still relevant, please reopen it and move it into a bugzilla component related to the work
being tracked. The Core: Tracking component will no longer be used.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
Comment hidden (spam)
You need to log in before you can comment on or make changes to this bug.