On Jun 4, 11:46 am, bsterne <[EMAIL PROTECTED]> wrote: > I've recently published a proposal for Site Security Policy, a > framework for allowing sites to describe how content in their pages > should behave (thanks, Gerv): > > http://people.mozilla.com/~bsterne/site-security-policy > > I'm creating a placeholder for any discussion that comes out of that > publication. I hope to collect here people's ideas for proposed > functionality as well as other details which may be useful in creating > a common specification.
One of the most important features lacking IMHO is the ability to restrict what hosts that are 'script src'd' can do. Currently they have full DOM access which is contributing towards drive by malware on ad networks and other nastiness. We need the ability to allow Javascript to be hosted on a third party domain, but to restrict what resources that JS can access. For example allow an ad network to create image objects with links, but disallow cookie access or redirections. Lots of possibilities here. We also should discuss restrictions of certain technologies from being used. For example instruct the browser to disallow ActiveX/Flash/ applets/JavaFX/Silverlight to execute on the domain unless explicitly defined in the policy as an allowed behavior. Sure the browser has no ability to restrict what flash/other technologies can do once they are started but they can restrict them from being loaded/called in the first place. There are additional discussions going on at http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html discussing this topic as well. Great to see this moving forward. Regards, - Robert Auger http://www.webappsec.org/ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
