Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-14 Thread Kevin Chadwick
On Fri, 13 Apr 2012 10:52:50 -0700 Johnathan Nightingale wrote: > I think Joe's framing here is exactly right. Not only do I not want to make > our developer tools first-run experience less pleasant by adding warnings, > but I also doubt that easily-dismissed warnings would be genuinely effectiv

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Johnathan Nightingale
On Apr 13, 2012, at 10:22 AM, Joe Walker wrote: > We can't and shouldn't, attempt to provide 100% protection for all forms of > stupidity here. This is a response to a specific class of problems, involving > some sort of viral propagation. > Therefore the long tail of sites doesn't need protectio

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Devdatta Akhawe
> I don't think that's a deal-breaker, it's a one-time mild annoyance at worst. > Make it a flag (pref) handled by Sync, and when you use > Sync to pull in your existing stuff it's a non-issue. Do you have a number on how many Sync users Mozilla has (vs. total users)? It is not a one-time mild an

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread joseph . walker
On Friday, April 13, 2012 9:16:11 PM UTC+1, Justin Dolske wrote: > On 4/13/12 10:49 AM, Tanvi Vyas wrote: > > > One thought I had was requiring that the very first time a user uses a > > developer tool, the user needs to go to Tools->WebDeveloper->Selected > > Devtool. After that, keyboard shortcu

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Justin Dolske
On 4/13/12 10:49 AM, Tanvi Vyas wrote: One thought I had was requiring that the very first time a user uses a developer tool, the user needs to go to Tools->WebDeveloper->Selected Devtool. After that, keyboard shortcuts would work for all devtools. The developer wouldn't have to do anything else

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Tanvi Vyas
On 4/13/12 6:37 AM, Henri Sivonen wrote: The proposed scheme would fail to protect the long retail of sites while it would be annoying for debugging sites that use the directive. If a developer can override the directive via a preference, social engineering attack could tell excessively gullibl

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Joe Walker
On 13/04/2012 14:37, Henri Sivonen wrote: On Fri, Apr 13, 2012 at 12:42 AM, Tanvi Vyas wrote: Given recent social-engineering attacks, firefox no longer allows javascript in the address bar (https://bugzilla.mozilla.org/show_bug.cgi?id=656433). The same issue could exist with the Web Console.

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Henri Sivonen
On Fri, Apr 13, 2012 at 12:42 AM, Tanvi Vyas wrote: > Given recent social-engineering attacks, firefox no longer allows javascript > in the address bar (https://bugzilla.mozilla.org/show_bug.cgi?id=656433). >  The same issue could exist with the Web Console.  An attacker could ask a > user to use

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Joe Walker
The argument is that the opt-in semantics of script-src (i.e. it's a whitelist) are spoiled by the opt-out nature of this protection (i.e it's a blacklist), so a new directive is better. Joe. On 13/04/2012 02:57, Devdatta Akhawe wrote: How about "no-user" as a source expression in script-sr

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-13 Thread Joe Walker
This would include Scratchpad. The Firebug console is disabled by default, and that seems (so far) like good enough protection. [1] The Error Console is preffed-off by default (would need to check but I think that's right), so by analogy with Firebug, I'm not too worried about that either. (

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-12 Thread Justin Dolske
On 4/12/12 2:42 PM, Tanvi Vyas wrote: To mitigate this potential attack, we are considering adding a new CSP directive 'no-user-js' that can be set by websites being targeted by this attack (http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/): X-Content-Security-Policy: no-user-js

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-12 Thread Devdatta Akhawe
How about "no-user" as a source expression in script-src, instead? On 12 April 2012 14:42, Tanvi Vyas wrote: > Given recent social-engineering attacks, firefox no longer allows > javascript in the address bar (https://bugzilla.mozilla.org/** > show_bug.cgi?id=656433

Re: no-user-js - New CSP directive to mitigate Self-XSS

2012-04-12 Thread Paul Theriault
I assume this protection would be extended to all facilities which allow user's to execute script (scratchpad, error console, are there others?) And things like firebug would be out of scope, although they could choose to respect this header or not. On 4/13/12 7:42 AM, Tanvi Vyas wrote: Given

no-user-js - New CSP directive to mitigate Self-XSS

2012-04-12 Thread Tanvi Vyas
Given recent social-engineering attacks, firefox no longer allows javascript in the address bar (https://bugzilla.mozilla.org/show_bug.cgi?id=656433). The same issue could exist with the Web Console. An attacker could ask a user to use the keyboard shortcut to open the web console and copy an