Re: Straw-main XSSModule for CSP

Tue, 20 Oct 2009 13:26:31 -0700 

Adam Barth wrote:

I've taken the liberty of sketching out a straw-man XSSModule for CSP
on the Mozilla wiki:

https://wiki.mozilla.org/Security/CSP/XSSModule

I welcome your feedback,
Adam


Hi Adam,
I'm not sure if hacking at the straw man should occur on the list or on the wiki. Please let me know if it should go to the wiki. 

Threat Model:
"We further assume the web developer wishes to prevent the attacker from achieving any of the following goals:
* The attacker must not learn the contents of the target web site's cookies."
A broader definition than cookie stealing that also covers integrity issues like defacement could be:
* The attacker's sequence of injected bytes are interpreted as one or more script instructions and executed with the privileges of the (CSP-protected) document.
If the purpose of the threat model is to scope out the protections afforded by the module, then the following may be more appropriate:
* The attacker's sequence of injected bytes are interpreted as an inline script (i.e., <script> element without |src| attribute, script element attribute, javascript: URI, dynamic CSS, etc.)
* The attacker's sequence of injected bytes are interpreted as a reference to external script, where the external script is located at a different origin to the document protected by CSP
* The attacker's sequence of injected bytes are compiled as a result of executing an allowed script (e.g., via eval(), setTimeout(), setInterval(), or Function constructor) 


block-xss directive:
The effects of this directive are given in a default-allow style, which could lead to gaps in protection. (Some possible gaps are commented on in the Open Issues section.) Could the effects of block-xss be specified as exceptions to a default-deny policy? 


Open Issues section:
IE's CSS behaviors and expressions could fit in the same category as XBL bindings, as they are non-standard features that can be used as XSS vectors 

Mike
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Reply via email to