[whatwg] Content Restrictions
Alexey Feldgendler
alexey at feldgendler.ru
Mon Jan 30 08:13:56 PST 2006
On Mon, 30 Jan 2006 21:21:13 +0600, Gervase Markham <gerv at mozilla.org>
wrote:
>> It's specifically targeted at keeping decent security in older browsers.
>> User agents that don't support sandboxing won't execute the scripts at
>> all.
> What problem are you trying to solve with this proposal? I'm not sure
> it's the same one that I am. You are trying to solve the problem of
> letting LiveJournal authors include certain types of "safe" script on
> their page, when currently they aren't allowed to include any.
>
> I'm trying to solve the problem of protecting users from XSS attacks
> when there are unexpected bugs in an author's web application.
Well, now I see. Really, for this use case your proposal seems reasonable,
but because my proposed <sandbox> element covers both use cases (allowing
limited scripting in user-supplied content, and protection against XSS
bugs as a second line of defense), the content restrictions specified by a
HTTP header may be a duplication. If <sandbox> ends up in the spec, then
the header needs not.
> And anyway, I don't think it's a serious security problem, because it
> already has a solution - filter out <script> altogether. I've not come
> across a compelling use case which says that blogs and wikis need to
> allow people to insert certain sorts of script into the blogpost or wiki
> page.
http://www.livejournal.com/support/faqbrowse.bml?faqid=14
They clearly state that they would like to allow scripts, but they don't
know how to do it safely.
I think it's not just a problem of this particular site.
--
Opera M2 8.5 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station [ICQ: 115226275] <alexey at feldgendler.ru>
More information about the whatwg
mailing list