Closed Bug 361915 Opened 13 years ago Closed 5 years ago
HTML security META tag to suppress XSS holes in web sites
Something like this? http://www.gerv.net/security/content-restrictions/ Gerv
A "trusted domains" field would give the xsite flags a great deal of flexibility ;)
Here is a neat idea, although I'm not sure if there is a valid way to implement it in HTML or XHTML without changing the spec. A new element, called <usermarkup> that requires a closing tag. The UA guarantees that everything inside this element will be "sanitized" else the element and its contents are ignored. UA also guarantees that if the server removes all instances of the exact string "</usermarkup>" from the element's contents, then no other sanitizing is required of the server. Combined with flags mentioned above, there is no longer a "moving target" for filtering forums and blog systems.
btw, could this be implemented as "<!-- <usermarkup>" ?
Can we all please stop having ideas that have been had many, many times before? <sigh>. The usermarkup (or sandbox or whatever it's called this week) tag is, according to bz last time I asked him, extremely hard to implement in a way that would actually work and achieve what you wanted. If people have ideas for new security stuff, propose it in the newsgroup. Gerv
Could relate to Bug #252342 where it was suggested server headers be used to filter out cookies on incorrect domain names, such as ".com."
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CSP
You need to log in before you can comment on or make changes to this bug.