Re: no-user-js - New CSP directive to mitigate Self-XSS

Fri, 13 Apr 2012 00:52:12 -0700 


This would include Scratchpad.
The Firebug console is disabled by default, and that seems (so far) like good enough protection. [1] The Error Console is preffed-off by default (would need to check but I think that's right), so by analogy with Firebug, I'm not too worried about that either. 


(I'm not sure if I have permission to post to 
mozilla-dev-secur...@lists.mozilla.org, if you don't see this pop-up 
there, please could someone repost?)


Joe.


[1] It seems that zombie users in search of snakeoil are put off by all 
but the most simple instructions. The bar of complexity that we need to 
get beat is to be harder than WIN+R/cmd/... which gives as much if not 
more destructive power than a JS prompt.



On 13/04/2012 00:13, Paul Theriault wrote:

I assume this protection would be extended to all facilities which 
allow user's to execute script (scratchpad, error console, are there 
others?) And things like firebug would be out of scope, although they 
could choose to respect this header or not.



On 4/13/12 7:42 AM, Tanvi Vyas wrote:

Given recent social-engineering attacks, firefox no longer allows 
javascript in the address bar 
(https://bugzilla.mozilla.org/show_bug.cgi?id=656433).  The same 
issue could exist with the Web Console.  An attacker could ask a user 
to use the keyboard shortcut to open the web console and copy and 
paste javascript on a page that is vulnerable to DOM based or self XSS.



To mitigate this potential attack, we are considering adding a new 
CSP directive 'no-user-js' that can be set by websites being targeted 
by this attack 
(http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/):

X-Content-Security-Policy: no-user-js


Developers who want to use the Web Console to test their sites on 
websites that have set 'no-user-js' would have a preference to 
override the 'no-user-js' directive.  For websites that have not set 
'no-user-js', developers would see no change to Web Console.


Thoughts?

~Tanvi
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security



_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security






















					Reply via email to