webappsec August 2007 archive
Main Archive Page > Month Archives  > webappsec archives
webappsec: Re: [WEB SECURITY] Seeking feedback on proposed secur

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: Jeremiah Grossman <jeremiah_at_nospam>
Date: Fri Aug 10 2007 - 22:50:04 GMT
To: Amit Klein <aksecurity@gmail.com>

On Aug 16, 2007, at 4:17 PM, Amit Klein wrote:

> Anurag Agarwal wrote:
>> I am looking to get views from people on the list about a proposed
>> security restriction in the browsers
>>
>
> I hope you're aware of Gervase Markham's http://www.gerv.net/
> security/content-restrictions/
>> *The browser should check with the webserver which domains it can
>> interact with (load files from or submit post data to, etc) for
>> that website. How the check is implemented is upto the browser.*
>>
>> For example: If a page from mybank.com is trying to submit data to
>> attacker.com then before submitting the data, the browser should
>> check with the mybank.com if it is allowed to do so.
>> Q1. is it reasonable?
>> Q2. What are the pros and cons of this approach?
>> Q3. Would it limit some types of browser attacks (like some xss
>> vectors, etc)?
>> Q4. Would it open any new types of attack vectors?
>>
>
> For one, it doesn't fully handle situations in which the XSS
> payload can write compromised data to another (publicly accessible,
> or at least attacker accessible) part of the site. For example, an
> XSS payload may take the cookie value and "store" it in another
> part of the site, such as a page to where comments can be
> submitted. The attacker then only needs to frequently poll this
> section of the site and collect the data.

According to my understanding of content restrictions, this would depend on:

  1. The policy allowing the code to execute from wherever it echoed.
  2. The policy allowing document.cookie

of course, nothing says that a website would have such a policy or that its written well... but the spec should be able to accommodate this restriction.

Regards,

Jeremiah-



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]