- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Wed, 14 Dec 2011 14:08:33 -0800 (PST)
- To: public-web-security@w3.org
As you probably know, browsers have been wrestling with various solutions to the "Self-XSS" issue that has been plaguing social networking sites of late. If you're not aware, these are the attacks where users are lured into running a malicious JavaScript bookmarklet in their browser. These attacks have evolved, since browsers have taken several different approaches to neutering the ___location bar vector, to now leverage other browser functionality such as the JavaScript console. I propose that we add a new directive, no-user-js, which would cause the user-agent to disable functionality that allows the user to run JavaScript in the context of the page. This would include the ___location bar as well as any other place that provides equivalent functionality. This would NOT affect view-source or any other introspective, or "read-only" functionality. Bookmarks seem to be a bit of a gray area, since technically users could be duped into creating a malicious bookmarklet and running it, but I tend to favor still allowing bookmarklets since the attack would be quite a bit more obvious, and this is a use case that would piss off lots of people if broken [1]. There is a set of users who we cannot reasonably protect: "run this executable to get neato Farmville upgrades!". Of course we could leave this up to user-agents to decide how to handle this case. Does anyone object to this proposal? Thanks, Brandon [1] Mozilla pissed off a huge number of people by turning off javascript: URLs in the ___location bar. See the comment thread in https://bugzilla.mozilla.org/show_bug.cgi?id=656433
Received on Wednesday, 14 December 2011 22:09:10 UTC