bsterne wrote: > I've recently published a proposal for Site Security Policy, a > framework for allowing sites to describe how content in their pages > should behave (thanks, Gerv): > > http://people.mozilla.com/~bsterne/site-security-policy > > I'm creating a placeholder for any discussion that comes out of that > publication. I hope to collect here people's ideas for proposed > functionality as well as other details which may be useful in creating > a common specification.
I just "stumbled" through the code and noticed a few things and have a few suggestions: * a lot of reinvent the wheel code is in there, like getHostFromURL (instead of using nsIURI/nsIURL/nsIEffectiveTLDService). * A regex-based homebrown html parser. I wonder how good it is, how good it will get... Bad people are known th be quiet creative when it comes to finding ways to obscure injections. (http://php-ids.org/) I know getting this right is quiet tricking, I implemented such thing myself, but after some month somebody figured out how to circumvent it... I don't know if there is relyable a way to "hijack" the DOM before any scripts are executed, but I guess this would be a better approach as you then get what the rendering engine gets as well. * External scripts might be prohibited from loading by implementing nsIContentPolicy (like Adblock Plus does for example, and I think noscript does as well.) * clean = this.data.replace(/google/ig,'yahoo'); Huh? Prototyping, eh? ;) * this.status = "On" | "Off"... What happened to booleans? Interesting idea indeed. Glad somebody started to implement it. Maybe you should get in touch with Giorgio of noscript fame. He is very knowledgable in this area and furthermore I think it might be interesting to implement this in noscript as well to some extent. Cheers Nils _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
