Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

["Andy Steingruebl" <steingra@xxxxxxxxx>]

On 8/12/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
>
> The reason I mentioned that is because GET is usually in a form of a
> link or image. If you block these then you break the most fundamental
> principle the web is based on.

Again, I think that there are a couple of issues here, namely:

 - What types of statements do we want our policy language to be able to make?
 - How do we want to browser to determine the policy, in what context, etc?

Doing things like an extra header muddies the waters with respect to
things like HTTP Response Splitting.

In the SMTP world where the protocol didn't support certain policy
assertions we moved to a completely out-of-band mechanism for SPF-
namely TXT records in DNS.  I'll be the first to agree that this is a
pretty bad idea in terms of protocol overloading, but at the same time
it gives us an out-of-band mechanism for indicating policy.

What I think would be useful to move this forward would be to list out
the types of attacks (loosely defined) and then the types of policy
statements we'd want a site to be able to make to prevent or defend
somehow against the attack.  Gerv did a bunch of this in his work - we
ought to come up with a relatively exhaustive list of assertions and
what they help with.

-- 
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]