[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Fri, 10 Aug 2007 15:50:04 -0700


On Aug 16, 2007, at 4:17 PM, Amit Klein wrote:

Anurag Agarwal wrote:
I am looking to get views from people on the list about a proposed security restriction in the browsers

I hope you're aware of Gervase Markham's http://www.gerv.net/ security/content-restrictions/
*The browser should check with the webserver which domains it can interact with (load files from or submit post data to, etc) for that website. How the check is implemented is upto the browser.*

For example: If a page from mybank.com is trying to submit data to attacker.com then before submitting the data, the browser should check with the mybank.com if it is allowed to do so. Q1. is it reasonable? Q2. What are the pros and cons of this approach? Q3. Would it limit some types of browser attacks (like some xss vectors, etc)? Q4. Would it open any new types of attack vectors?

For one, it doesn't fully handle situations in which the XSS payload can write compromised data to another (publicly accessible, or at least attacker accessible) part of the site. For example, an XSS payload may take the cookie value and "store" it in another part of the site, such as a page to where comments can be submitted. The attacker then only needs to frequently poll this section of the site and collect the data.

According to my understanding of content restrictions, this would depend on:

1) The policy allowing the code to execute from wherever it echoed.
2) The policy allowing document.cookie

of course, nothing says that a website would have such a policy or that its written well... but the spec should be able to accommodate this restriction.

Regards,

Jeremiah-

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Amit Klein

References:
- [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Anurag Agarwal
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Amit Klein

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site