Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably mean changing of some parts of our code because it blocks following things:
* The contents of internal <script> nodes * javascript: URIs, e.g. <a href="javascript:bad_stuff()"> * Event-handling attributes, e.g. <a onclick="bad_stuff()"> * eval() * setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000) * setInterval called with a String argument, e.g. setInterval("evil string...", 1000) * new Function constructor, e.g. var f = new Function("evil string...")
See <https://wiki.mozilla.org/Security/CSP/Spec> for more details.
Michal Čihař a écrit :
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably mean changing of some parts of our code because it blocks following things:
* The contents of internal <script> nodes * javascript: URIs, e.g. <a href="javascript:bad_stuff()"> * Event-handling attributes, e.g. <a onclick="bad_stuff()"> * eval() * setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000) * setInterval called with a String argument, e.g. setInterval("evil string...", 1000) * new Function constructor, e.g. var f = new Function("evil string...")See https://wiki.mozilla.org/Security/CSP/Spec for more details.
Michal, do you know where in the 3.5 browser menus I can activate CSP?
Hi
Dne Thu, 02 Jul 2009 07:15:02 -0400 Marc Delisle marc@infomarc.info napsal(a):
do you know where in the 3.5 browser menus I can activate CSP?
The web page has to activate it, it has to provide some profile where it can load scripts from.
Michal Čihař wrote:
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably mean changing of some parts of our code because it blocks following things:
* The contents of internal <script> nodes * javascript: URIs, e.g. <a href="javascript:bad_stuff()"> * Event-handling attributes, e.g. <a onclick="bad_stuff()"> * eval() * setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000) * setInterval called with a String argument, e.g. setInterval("evil string...", 1000) * new Function constructor, e.g. var f = new Function("evil string...")
Since we use quite a number of onclick="" attributes it would take considerable effort to implement this. I do not expect this to be implemented in all browsers any-time soon, since it currently is an FF only feature, and thus we still have to be very careful with properly sanitising all output.
Therefore I see this as a possible long term goal, and something to think about when writing new code.
Herman van Rink a écrit :
Michal Čihař wrote:
Hi all
you probably noticed that Firefox 3.5 is out and it comes with new way how to protect against XSS called Content Security Policy.
Do you think it is worth implementing in phpMyAdmin? It would probably mean changing of some parts of our code because it blocks following things:
* The contents of internal <script> nodes * javascript: URIs, e.g. <a href="javascript:bad_stuff()"> * Event-handling attributes, e.g. <a onclick="bad_stuff()"> * eval() * setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000) * setInterval called with a String argument, e.g. setInterval("evil string...", 1000) * new Function constructor, e.g. var f = new Function("evil string...")Since we use quite a number of onclick="" attributes it would take considerable effort to implement this. I do not expect this to be implemented in all browsers any-time soon, since it currently is an FF only feature, and thus we still have to be very careful with properly sanitising all output.
Therefore I see this as a possible long term goal, and something to think about when writing new code.
Agreed; also the CSP document itself from Mozilla scares me with lots of options and policies to decide about.
Hi
Dne Thu, 02 Jul 2009 16:42:47 +0200 Herman van Rink rink@initfour.nl napsal(a):
Since we use quite a number of onclick="" attributes it would take considerable effort to implement this.
I totally agree.
I do not expect this to be implemented in all browsers any-time soon, since it currently is an FF only feature, and thus we still have to be very careful with properly sanitising all output.
Yes, but as CSP also allows to notify if something is doing nasty things, it will help us protecting other users, because we will be notified about possible problems from FF 3.5 users.
Therefore I see this as a possible long term goal, and something to think about when writing new code.
It makes sense to define it this way.
-
Herman van Rink -
Marc Delisle -
Michal Čihař