Re: XSS mitigation in browsers from Michal Zalewski on 2011-01-19 (public-web-security@w3.org from January 2011)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 19 Jan 2011 15:40:44 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
Message-ID: <AANLkTi=VHugpaRYtOqNh6W-23uH2gWKyq5ECg9sWhUmv@mail.gmail.com>

> The current text just uses the final URL. �Is there some reason every
> hop is important? �Using the final URL is analogous to how <iframe>
> works, for example.

Yeah, I meant to say it should not settling for checking the initial
URL only (this is a mistake repeated so many times with
XMLHttpRequest, etc, that it's becoming very sad). Last URL is
obviously fine.

> The attacker can always just avoid doing anything that triggers a
> SecurityViolation (because triggering SecurityViolations is useless
> from the attacker's point of view). �The monitoring aspect is mostly
> useful for the non-malicious case: to make sure you're not screwing up
> your policy somehow.

OK, fair point.

/mz

Received on Wednesday, 19 January 2011 23:41:36 UTC