[whatwg] Content Restrictions

Alexey Feldgendler alexey at feldgendler.ru
Mon Jan 30 08:13:56 PST 2006


On Mon, 30 Jan 2006 21:21:13 +0600, Gervase Markham <gerv at mozilla.org>  
wrote:

>> It's specifically targeted at keeping decent security in older browsers.
>> User agents that don't support sandboxing won't execute the scripts at  
>> all.

> What problem are you trying to solve with this proposal? I'm not sure
> it's the same one that I am. You are trying to solve the problem of
> letting LiveJournal authors include certain types of "safe" script on
> their page, when currently they aren't allowed to include any.
>
> I'm trying to solve the problem of protecting users from XSS attacks
> when there are unexpected bugs in an author's web application.

Well, now I see. Really, for this use case your proposal seems reasonable,  
but because my proposed <sandbox> element covers both use cases (allowing  
limited scripting in user-supplied content, and protection against XSS  
bugs as a second line of defense), the content restrictions specified by a  
HTTP header may be a duplication. If <sandbox> ends up in the spec, then  
the header needs not.

> And anyway, I don't think it's a serious security problem, because it
> already has a solution - filter out <script> altogether. I've not come
> across a compelling use case which says that blogs and wikis need to
> allow people to insert certain sorts of script into the blogpost or wiki
> page.

http://www.livejournal.com/support/faqbrowse.bml?faqid=14
They clearly state that they would like to allow scripts, but they don't  
know how to do it safely.
I think it's not just a problem of this particular site.


-- 
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>



More information about the whatwg mailing list