Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

[Amit Klein <aksecurity@xxxxxxxxx>]

Jeremiah Grossman wrote:
> > For one, it doesn't fully handle situations in which the XSS payload 
> > can write compromised data to another (publicly accessible, or at 
> > least attacker accessible) part of the site. For example, an XSS 
> > payload may take the cookie value and "store" it in another part of 
> > the site, such as a page to where comments can be submitted. The 
> > attacker then only needs to frequently poll this section of the site 
> > and collect the data.
>
> According to my understanding of content restrictions, this would 
> depend on:

But these restrictions were not mentioned in the original posting...

> 1) The policy allowing the code to execute from wherever it echoed.

Ah, but with this restriction, XSS would not be possible in the first 
place (in that specific plication)...

> 2) The policy allowing document.cookie

Right.

> of course, nothing says that a website would have such a policy or 
> that its written well... but the spec should be able to accommodate 
> this restriction.

Indeed.


-Amit

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]