[whatwg] Content Restrictions
Hallvord Reiar Michaelsen Steen
hallvord at hallvord.com
Mon Jan 30 09:49:03 PST 2006
On 27 Jan 2006 at 12:29, Gervase Markham wrote:
> I'd like to present to the group for comment my "Content Restrictions"
> proposal. http://www.gerv.net/security/content-restrictions/
Hi Gerv,
first of all: it's great to get some fresh ideas here. You've seen
the earlier thread and it didn't get enough brainstorming going..
My colleage Sigbjørn had some thoughs, forwarding with his
permission:
> ------- Forwarded message -------
> From: "Sigbjørn Vik"
> Subject: Re: [Evil-knights] Fwd: [whatwg] Content Restrictions
> Date: Fri, 27 Jan 2006 22:18:54 +0900
>
> I support the idea, but not the granularity of it. The author is trying to
> do the same thing as the webmails that fail, by specifying exactly what
> can and cannot be allowed. Even if cookie access is disallowed, a script
> would be able to call some other function in a parent frame which is
> allowed this access, and thus get the cookies anyhow. The fine granularity
> open up for a lot more security issues and creativity of exploiters, which
> would make web browsers reluctant to implement it. The complexity of
> allowing scripts access to only parts of the DOM will also make web
> browserts reluctant to implement it. Not to mention the difficulty for
> web-authors in understanding the security implications of the various
> choices.
>
> Instead, I would suggest just three type of restrictions: script, style,
> embedded content (anything loaded from a 3rd party server). I'd even
> suggest that each one of them is off only, no values or granularity
> allowed.
>
> Also, meta tags need to be allowed and take precedence over http headers.
> (To make it possible to override things for a given page without having to
> have access to the server.)
I generally agree with those comments (except the META tag
statement). There can be quite some security in simplicity :-)
You replied to Alexey Feldgendler:
> What problem are you trying to solve with this proposal? I'm not sure
> it's the same one that I am. You are trying to solve the problem of
> letting LiveJournal authors include certain types of "safe" script on
> their page, when currently they aren't allowed to include any.
>
> I'm trying to solve the problem of protecting users from XSS attacks
But actually the details of your approach are powerful enough to have
other use cases, so you're covering similar ground to what Alexey and
I were discussing.
The main complexity in doing anything in this area is probably the
flexibility of JavaScript. I don't think any UA really keeps track of
the origin of each script - they are all associated with the domain
of the page they are running in, and that's how same-origin security
policies are applied. However, trying to make that more granular is a
major headche. That's why I really like your approach of (as far as I
can see) defining policies that are applied to all scripts in the
document. Of course it limits what sort of scripting the webmaster
can deploy along with the possibly insecure scripts, but it is a very
interesting angle.
--
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/
More information about the whatwg
mailing list