The WebKit community is considering taking up such an experimental
implementation. Here's my current proposal for how this might work:
http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNA&hl=en
I would appreciate any feedback on the design.
Whitelist requires developers to know about potential risks of each
element/property, and that's not obvious to everyone: e.g. one might
want to allow object/embed (for harmless YouTube videos) without
realizing that it enables XSS.
It's also non-obvious that style attribute is XSS risk (via behavior
property). Higher-level filtering option could allow style attribute,
and only filter out that property. Current proposal would need another
whitelist for CSS properties.
And even whitelist for CSS properties couldn't be used to implement
"No external access" policy (allow images with data: urls, allow http:
links, but not http: images). This would be useful for webmails and
other places where website doesn't want to allow 3rd parties tracking
views.
"No clickjacking" option might be useful as well.
--
regards, Kornel Lesiński
