Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

On Aug 17, 2007, at 2:49 AM, Amit Klein wrote:

> Jeremiah Grossman wrote:
> > > For one, it doesn't fully handle situations in which the XSS  
> > > payload can write compromised data to another (publicly  
> > > accessible, or at least attacker accessible) part of the site.  
> > > For example, an XSS payload may take the cookie value and "store"  
> > > it in another part of the site, such as a page to where comments  
> > > can be submitted. The attacker then only needs to frequently poll  
> > > this section of the site and collect the data.
> >
> > According to my understanding of content restrictions, this would  
> > depend on:
>
> But these restrictions were not mentioned in the original posting...
>
> > 1) The policy allowing the code to execute from wherever it echoed.
>
> Ah, but with this restriction, XSS would not be possible in the  
> first place (in that specific plication)...
>
> > 2) The policy allowing document.cookie
>
> Right.
>
> > of course, nothing says that a website would have such a policy or  
> > that its written well... but the spec should be able to  
> > accommodate this restriction.
>
> Indeed.

Right right, I wasn't trying to contradict you, just clarifying what  
I believe content restrictions would be able to compensate for.

Regards,

Jeremiah-


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]