Closed Bug 301375 (xss) Opened 15 years ago Closed 4 years ago

[meta] Ideas for mitigating XSS holes in web sites

Categories

(Core Graveyard :: Tracking, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: jruderman, Unassigned)

References

(Depends on 8 open bugs, Blocks 1 open bug)

Details

(Keywords: meta, sec-want, Whiteboard: [sg:want])

 
*** Bug 312964 has been marked as a duplicate of this bug. ***
Depends on: 321815
Blocks: csrf
Alias: xss
Group: security
Group: security
Depends on: 296871
Depends on: 326506
Depends on: 332016
Whiteboard: [sg:want]
No longer depends on: 296871
Depends on: 359675
Ok, here's an idea. The problems of XSS, imho, are due to lack of separation in HTML btw metadata (incl. scripts) and data. The idea I'll present here will require some support from the server side, to help separate between metadata and data; however, the change is small enough, and the problem important enough, to make this reasonable, I think. Also I believe the method can be extended to provide (limited) client-only defense as well, but I won't cover this in this note to keep its length bearable. 

Specifically, I suggest sites use special markup to define permitted and forbidden areas, for different kinds of markup. This could take multiple forms, and careful evaluation should determine best forms, but let me give just two examples to make the idea concrete:

<NoScript id=xxx>here goes HTML without any scripts, in either <script>(an ignored script)</script> or attributes (e.g. <a href=xx onsubmit="ignored"> </NoSrcipt id=xxx> <!-- notice use of random id attribute, matched between beginning and end NoScript tags, to avoid fake end NoScript by malicious markup-->

<MarkupValidationOn id=xxx> rest of HTML document where _all_ tags are ignored, unless they contain the validating identifier, e.g. <Img src='webbugger.com'> is ignored while <img src='cow' id=xxx> is applied. 

I am thinking of prototyping something along these lines, so comments are most appreciated... 
Depends on: 361915
Depends on: 362235
Depends on: 362250
Depends on: 362259
Depends on: 55137
Depends on: jarxss
Blocks: 373140
No longer blocks: 373140
Depends on: 350830
Depends on: 376844
Depends on: PR07-01
Depends on: 376899
Depends on: 381412
Depends on: 390910
Depends on: 392459
Depends on: 305873
Depends on: 394534
Depends on: 395597
Depends on: 404252
Depends on: 406777
Depends on: 269116, 287990
Depends on: 414064
Depends on: CVE-2008-5510
Depends on: 423389
Depends on: 352437
Depends on: 441876
Depends on: 443177
Depends on: 443345
Depends on: 443564
Depends on: 444222
Depends on: 430740
Depends on: 446112
No longer depends on: 446112
Depends on: 446112
Depends on: 448166
Depends on: 450981
Depends on: 463948
Depends on: 489704
Depends on: 503789
Depends on: 510868
Depends on: 503632
Depends on: 502047
Depends on: xssfilter
Depends on: 530308
Depends on: CSP
Depends on: 557420
Depends on: 560927
Depends on: CVE-2010-1210
Depends on: 564706
Depends on: 574485
Depends on: 641148
Depends on: CVE-2012-1965
Depends on: 759382
Depends on: 779406
Depends on: 475216
Depends on: 867380
Depends on: mXSS
Marking all tracking bugs which haven't been updated since 2014 as INCOMPLETE.
If this bug is still relevant, please reopen it and move it into a bugzilla component related to the work
being tracked. The Core: Tracking component will no longer be used.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.