webappsec August 2007 archive
Main Archive Page > Month Archives  > webappsec archives
webappsec: Re: [WEB SECURITY] Seeking feedback on proposed secur

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: Andy Steingruebl <steingra_at_nospam>
Date: Mon Aug 13 2007 - 16:41:34 GMT
To: "WASC Forum" <websecurity@webappsec.org>, "Webappsec @securityFocus" <webappsec@securityfocus.com>


On 8/12/07, pdp (architect) <pdp.gnucitizen@googlemail.com> wrote: >
> The reason I mentioned that is because GET is usually in a form of a
> link or image. If you block these then you break the most fundamental
> principle the web is based on.

Again, I think that there are a couple of issues here, namely:

  • What types of statements do we want our policy language to be able to make?
  • How do we want to browser to determine the policy, in what context, etc?

Doing things like an extra header muddies the waters with respect to things like HTTP Response Splitting.

In the SMTP world where the protocol didn't support certain policy assertions we moved to a completely out-of-band mechanism for SPFnamely  TXT records in DNS. I'll be the first to agree that this is a pretty bad idea in terms of protocol overloading, but at the same time it gives us an out-of-band mechanism for indicating policy.

What I think would be useful to move this forward would be to list out the types of attacks (loosely defined) and then the types of policy statements we'd want a site to be able to make to prevent or defend somehow against the attack. Gerv did a bunch of this in his work - we ought to come up with a relatively exhaustive list of assertions and what they help with. -- Andy Steingruebl steingra@gmail.com ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]