New Firefox Standard Aims to Combat Cross-Site Scripting

Al writes "The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks (XSS). The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages. This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts. The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions. 'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the Mozilla Security Blog. 'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'"

as an end user

I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".

Re:as an end user

[seifried]

It doesn't quite work that way, it's much more fine grained, i.e. as a site owner I can say something like:

allow /foo/bar.cgi?weird looking strings and block anything else

so if an attacker finds a cross-site scripting flaw in say "/login.php" the client won't accept it, protecting my client, and protecting the site owner as well (bad guys aren't harvesting credentials from users, etc.).

Re:as an end user

[sexconker]

As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit". ...

Fuck.

Re:as an end user

[Arker]

I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".

Noscript does this.

Which brings me to the observation that, at least as far as I can tell from the blurb, this entire thing sounds a bit redundant in light of the ready availability of Noscript. Why not just make it part of the default firefox install instead?

Re:as an end user

[kill-1]

No, CSP doesn't work like that. You can't specify path patterns or something like that. If you have an XSS flaw on your site an attacker still can inject scripts. But the scripts won't get executed because CSP only allows external scripts from white-listed hosts.

Re:as an end user

[seifried]

Ack I must have been thinking of mod_security, my bad. OTOH you can limit stuff by file/etc to a pretty good degree using site security policy and achieve pretty much the same aims.

Re:as an end user

[LDoggg_]

Javascript libraries for things like browser abstraction and animations are really nice, but they're getting kinda of bulky.
Content delivery networks like AOL and Google are hosting them for free, so it makes sense for websites to just include them and use the big guys' bandwith.

Re: as an end user

[butlerm]

That is the problem - a mandatory restriction that amounts to "we don't trust the html generated from our own domain".

Re:as an end user

[Spad]

Because, as a user I might not know which of the 47 different domains that CNN pulls scripts from are *supposed* to be serving scripts and which are some guy trying to get my facebook account details (not that I have one or read the CNN site regularly; largely because of the number of bloody domains they pull scripts from), whereas the owners of the CNN site *will* know which domains they're supposed to be pulling scripts from and can state so to the browser.

Re:as an end user

[Arker]

Because, as a user I might not know which of the 47 different domains that CNN pulls scripts from are *supposed* to be serving scripts and which are some guy trying to get my facebook account details (not that I have one or read the CNN site regularly; largely because of the number of bloody domains they pull scripts from), whereas the owners of the CNN site *will* know which domains they're supposed to be pulling scripts from and can state so to the browser.

Sounds like a bug rather than a feature to me. This would just enable CNN and others to continue the practice, removing any pressure on them to fix their broken website.

Re:as an end user

[hesaigo999ca]

here,here, mod up....ooops used them all up, very informative you are though!!!
I would mod you up, if they could give me more then just 5 damn points!

Re:as an end user

[xouumalperxe]

NoScript solves a different problem, which is that you don't trust the site. What this aims to solve is the problem of knowing what the site itself considers trustworthy, so that you're not required to issue a blanket statement of distrust: If you trust the site, you can (supposedly) trust its own trust list.

Re:as an end user

[SCHecklerX]

After the stunt the noscript author pulled with adblock's filterset, I will never use it again. It simply cannot be trusted. It is malware.

Re:as an end user

[tepples]

As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit".

Then I guess you don't visit Wikipedia, eBay, or any other site that allows its subscribers to submit works to be displayed on the site.

Re:as an end user

[sexconker]

Generally, I don't!
Text-only for user submitted content, plz.

Re:as an end user

[FuzzyBad-Mofo]

I surely hope NOT, as that would break any web site that uses JSON, Google-hosted scripts, etc.

Good idea

[thetoadwarrior]

As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.

Re:Good idea

[NecroPuppy]

First thoughts on that:

If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?

Re:Good idea

[sexconker]

When content is fed to you by/through domain1.com, do you see it as coming from domain1.com?

If the answer to that is YES, then you're FUCKED if domain1.com is serving up shit.

Re:Good idea

[the_other_chewey]

If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?

Domain1 woudn't need to use this - this is a client-side security measure. If your site uses it and declares trusted third-parties, it's enough.
Also, what is "passing along" supposed to mean? Scripts (or any other stuff) would either come from domain1 or not. If not, it wouldn't be trusted.
If domain1 proxies scripts from other sources, this means they come from domain1, as far as HTTP is concerend - and they would be trusted.

The problem I see however is domain1 declaring additional trusted domains when delivering its scripts, thereby allowing for "cascaded domain trust", which
would pretty much defeat the new system. This can easily be prevented by not accepting additional trusted domains from elements that are third-party though.

Re:Good idea

[CarpetShark]

As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.

From the summary:

The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages.

As long as this "standard" is the one called HyperText Markup Language, then this makes sense. HTML is intended to say what scripts run on a page. If that's broken, then the HTML should be fixed. Somehow I suspect it's not broken, but that developers' implementations of sites are.

Re:Good idea

That is a different problem. The problem with this specification is that when enabled it doesn't allow you to use inline scripts anymore. i.e. you can no longer directly trust *your own domain* unless you use out of line scripts, which is enormously constraining for a large class of applications.

In particular, many applications dynamically generate javascript on the fly. The only way to handle that under this specification would be to generate lots of little temporary files that the browser requests on the second pass. The performance problem with such secondary requests is a serious problem, due to turnaround latency.

Speaking of which, HTTP should be extended to allow web servers to push expected inline requests for script files, images, and frames (up to a reasonable limit and under reasonable constraints) into the web browser in-memory cache to eliminate the turnaround latency associated with such follow on requests. i.e. the browser in such cases would be able to fulfil such requests immediately from the cache because they would already be there by the time the web browser had finished parsing the page.

Re:Good idea

[LO0G]

The other major problem with this solution is that it requires changes at the web site level.

In other words, you're only safe if the web site author opts into the security solution.

What are the chances that the hundreds of millions of web sites out there will all opt into this feature?

Re:Good idea

[Burz]

Perhaps it would be more effective to modify Firefox so that it will only execute scripts from other domains which are directly referenced by the original domain. That seems much safer to me.

Re:Good idea

[Simetrical]

If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?

They would be executed. Even if you use this to its fullest, attackers can still do XSS if they can alter your actual script files. But if fully deployed, it kills the most common cause of XSS: HTML injection. The point is that injected HTML will not be able to include scripts except from approved domains.

Currently an HTML injection anywhere in the application means you can stick in a <script> tag or onload attribute and run any script you like. This is bad, because HTML pages are usually generated dynamically and embed many user-provided strings that have to all be escaped individually by the application. One unescaped string and you get XSS.

With this new tech, a properly-configured site is immune to that. HTML injections can inject HTML, but not anything else: no scripts, images, objects, etc. except from approved domains. Since script files are usually static files with no user-provided strings embedded in them, XSS becomes vastly more difficult. You can't even inject an image from your domain to track IP addresses.

So even if you include dodgy third-party scripts, that won't enable HTML injection to escalate to XSS like it currently can. The third party can, of course, still freely screw you over if their server gets hacked or they deliberately provide malicious content. If you're worried about that, don't trust them!

Re:Good idea

[Simetrical]

That is a different problem. The problem with this specification is that when enabled it doesn't allow you to use inline scripts anymore. i.e. you can no longer directly trust *your own domain* unless you use out of line scripts, which is enormously constraining for a large class of applications.

But also necessary to prevent HTML injection from escalating into XSS. Even if you can't do this, however, the spec is very modular. You can still use other features it allows while allowing inline script, like restricting domains of image/script/etc. loading.

Re:Good idea

[Yogiz]

Why would they all need to do that. If any at all use the options, web surfing experience will be safer. It seems like a reasonable solution to me.

Re:Good idea

[LO0G]

Sure, but the instant that you hit a web site that hasn't opted in, the protections are worthless.

MSFT's version of this feature works by inspecting the HTML on the page and blocking all scripts that appear to be hostile - it's not a perfect solution but it doesn't require the site to opt-in.

I think a hybrid solution of both MSFTs and FF's solution is likely to be the best option for customers - the FF solution allows for a declarative solution for sites that want to opt-in, the MSFT solution helps protect other sites.

Neither solution is perfect.

Re:Good idea

[Yogiz]

Nobody claimed it was perfect. If you are on a site that supports this feature you are safer. If you are on a site that does not support it you are as safe as you are now. That doesn't mean it's worthless. It makes browsing more secure for everyone. Instead of having a few computer-literate browsers (people not software) use noscript on the page, the page owner just has to write the list once and all visitors get protection, including those not tech-savvy.

Re:Good idea

[LO0G]

A declarative solution still requires that the entire web be updated to adopt it before you're safe. That's why a combination of non declarative (MSFT's XSS filter) and declarative (FireFox's CSP) is the best option.

This is especially true if there's no visual indication that a site has opted into CSP - otherwise you have no way of knowing which sites are "safe" or not.

Managers

[uassholes]

"The Mozilla foundation is to adopt a new standard to help web site's prevent cross site scripting attacks (XSS). The standard, called Content Security Policy

Do you notice that name does not sound like the description? Why do they never call it what it is?

Re:Managers

[sexconker]

Because if it doesn't form a TLA (Three-Letter Acronym) it won't catch on.

Re:Managers

[EvanED]

If you'll notice, CSS was already taken for web-stuff, and X often means "cross", so it does actually make sense.

Re:Managers

[leamanc]

If you will notice, he meant that "Content Security Policy" as a name is less effective than, say, "Cross-Site Scripting Prevention Policy." He was not talking about XSS as an acronym.

Re:Managers

[maxume]

It extends well beyond scripts into other content areas. It can be used to limit the domains that are allowed to serve images, css, and so on (this is all for a given page).

No more hacking anti piracy organizations?

[basementman]

So does this mean we can't hack anti piracy organizations any more? http://torrentfreak.com/mpaa-website-now-with-torrents-090502/ http://torrentfreak.com/riaa-site-features-torrentfreaks-latest-news-090504/

Re:No more hacking anti piracy organizations?

[buchner.johannes]

It is just a client protection, like Microsofts HttpOnly-Cookies. You can still send any packages to the server.

Re:No more hacking anti piracy organizations?

[darthflo]

We still can. The mentioned MAFIAA flaws are based on a vulnerability in server-side code. <iframe [...]> is posted as the search criteria and incorporated into the site output to the user. It's all HTTP (submitting the "evil" param") and HTML (returning a usable <iframe>.

The Firefox implementation "protects" only from scripts included via <script src=..> from another domain. Pure HTML (like above) or in-page scripts aren't blocked. In most* cases, that's a few minutes of extra work, tops; using the same vulnerability.

* Limitations include content filters (though allowing <script> yet blocking important JS keywords seems not that realistic to me), being vulnerable only to GET requests (limits script size to some 900 bytes; depending on implementation). A possible benefit (to the attacker) of including the script is being able to host it on a server he controls; thus the script can be changed while the attack is live and some tracking (how many people downloaded the script) can be done. OTOH, the attacker gets (more) trackable, too.

How does this change userland?

[Red+Flayer]

I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit. And when I visit a site where I need to disable noscript, I have no other tabs/browsers open.

I'm sorry, but NO site can be trusted 100% from a user's perspective... and giving site owners the tools to help prevent XSS from their side doesn't help with the fact that users still shouldn't trust absolutely.

The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.

Of course, I'm slightly paranoid. And of course, this isn't transparent to Joe Sixpack, so he's going to trust|!trust based on whatever it is he's basing it on now. And for security-critical sites like banks, this is a good thing... but I try very hard to make sure my friends & family are a bit paranoid too, so they'll take precautions.

Re:How does this change userland?

I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit.

Combine RequestPolicy with YesScript

Re:How does this change userland?

[TheRealMindChild]

I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit

Dude. How are *you* going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com? Even if you are a lunatic and micromanage the trusted sources of these scripts, how would selectively running any of them do you any good? I would imagine almost all sites are going to break horribly of you only enable HALF of the scripts, where flat out disabling them/running all scripts will give you a working site.

Re:How does this change userland?

[hedwards]

Well, it irritates me to no end that there isn't a mandatory listing of all the sites that serve scripts for them complete with some sort of explanation.

I absolutely hate having to figure out which domain that I've blocked that will allow access to the content and which ones are dodgy. And further whether the site that's serving up the content is safe enough to allow.

Re:How does this change userland?

[Red+Flayer]

How are *you* going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com? Even if you are a lunatic and micromanage the trusted sources of these scripts, how would selectively running any of them do you any good?

Dare I say it?

Site XXXX is attempting to run a script on site YYYY.
(C)ANCEL or (A) LLOW?

All snark aside, why would I allow either of those domains to run a script on slashdot.org? Since I trust slashdot to a certain extent, I would allow from scripts.slashdot.org. But allowing scripts from a completely different domain? No way.

The point is that my security policy is annoying to implement. For site mybank.com I need to enable scripting. But if things were perfect, I could enable only for scripts from $SUBDOMAIN.mybank.com, so I don't get hosed by scripts from $HACKERSITE.bankmy.com. And if legitimate sites are hosting their scripts from an entirely different domains... well, that would have to change. Instead I have to take an all-or-none approach, since the sites I need security the most on are the ones where I need to enable scripting. That just sucks.

Re:How does this change userland?

[Jherek+Carnelian]

Indeed, I wish noscript would allow me to whitelist domains and even specific scripts on a per-site basis. So, for example, I could whitelist maps.google.com's use of javascript from gstatic.com but not allow any other sites, like images.google.com, to pull in javascript from gstatic.com.

Re:How does this change userland?

[Red+Flayer]

If you're slightly paranoid like I am, how would you know to trust the provided list of "trusted script serving sites"?

At some point, you need to trust *someone* to tell you who else you can trust... and that'll always be a problem.

Re:How does this change userland?

That reminds me -- since recently I have to tell NoScript to allow scripts from fsdn.com in order to browse slashdot.org successfully. I *know* that FSDN is slashdot's parent company, but it doesn't seem right that I can't use slashdot's discussion interface without giving permission to all of FSDN.

Similarly, recently I have to allow gstatic.com and/or googleapis.com to use Google-enabled websites that worked fine before.

Like the parent post's point: it's getting harder for a user to selectively narrow permissions down.

Re:How does this change userland?

[oldhack]

I second "yay!" for Noscript. You have no idea how tangled commercial websites are until you use noscript.

Re:How does this change userland?

[maxume]

Slashdot is currently pushing js from c.fsdn.com.

I think you have a pretty dim view of the ecosystem (or maybe you are viewing some really marginal sites, who knows). For the most part, a given page that you visit is not going to contain malicious code that sniffs for when you have a https cookie for your banking site and then mysteriously steals all your money. I say this confidently, as I am quite certain that the bad guys are much happier with the simpler task of installing mal-ware keyloggers.

The only browser exploit I have personally encountered came from the server getting compromised (well, the account for a domain, probably not the whole server); obfuscated javascript had been appended to the bottom of a javascript file that the page loaded (the attack was a pdf, but I had that particular exploit locked down (or it didn't work in the version of Reader I use...), so no issues). Entertainingly, it was a blog post about web security (I let them know and they fixed it).

Re:How does this change userland?

[michaelhood]

That would be like paypal.com inexplicably using paypalobjects.com! Unpossible.

Re:How does this change userland?

[Jurily]

What irritates me is that all the browsers I've ever heard of run everything they can by default. The only distro coming even close to something sane is Gentoo with the "restrict-javascript" USE flag with firefox (that pulls in noscript, but still does not enable it by default).

Of course I can't know about everything, feel free to correct me.

Re:How does this change userland?

[Red+Flayer]

And I know that fsdn.com is also a trusted site.

You're right that I'm not the most knowledgeable (to put it lightly) about the ecosystem. However, I think it's atrocious that I cannot easily and selectively block scripts from operating on sites I want to view. And not just for the sake of security... also for the sake of performance on older machines.

Re:How does this change userland?

[maxume]

By 'dim', I meant that you have an overly negative view, I wasn't speculating as to your level of knowledge.

Re:How does this change userland?

You know what's even more insane? After installing an application, it defaults to executable! Can you believe that?!

Re:How does this change userland?

[v(*_*)vvvv]

why would I allow either of those domains to run a script on slashdot.org?

You wouldn't. Slashdot would. This is about the site creator specifying a white list, and not about the visitor being prompted about it.

But if things were perfect, I could enable only for scripts from $SUBDOMAIN.mybank.com, so I don't get hosed by scripts from $HACKERSITE.bankmy.com.

Am I misunderstanding the description of this extension, because to me this sounds exactly like what it does. You enable scripts from domains you specify. Thus, no javascript injections or form hacking will get a page to retrieve foreign scripts without the attacker being able to physically alter the document.

Re:How does this change userland?

[MikeFM]

I've been suggesting a fix like this for years but my suggested implementation let users have add further limitations. It's stupid not to let users tighten controls even if they can't make controls any weaker than the site has configured. You'll never have perfect security but at least this is a step in the right direction.

Re:How does this change userland?

[dveditz]

The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.

This mechanism isn't intended for users -- this is a tool for site authors, to cooperate with them in enforcing their policies. The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that don't support CSP (which includes every officially released version of Firefox to date). This is an extra layer of protection for users of CSP-compliant browsers, and a benefit to the site through the reporting function.

Please do continue running NoScript if you like. CSP is a mechanism for site authors to declare their policy, add-ons like NoScript and AdBlock are tools for users to declare their policies.

Re:How does this change userland?

Use Privoxy [http://www.privoxy.org] to selectively disable/enable scripts by any regular expressions you want.

Re:How does this change userland?

[Zey]

And I know that fsdn.com is also a trusted site.

Funnily enough, I know I don't want fsdn.com's content because the side bar is annoying bloatware that cripples the utility of the site. I'm very glad to have NoScript on the case, blocking it for me. (Which makes me wonder how many other horror websites there are out there whose horrible bloat I've been saved from by virtue of my browsers blocking XSS.)

Re:How does this change userland?

Of course, I'm slightly paranoid. [...] And for security-critical sites like banks, this is a good thing...

Of course, I'm slightly paranoid, too. That aside, for security-critical sites like banks, there is no such thing as a good dependency on JavaScript. These banks teach their users to behave insecurely:

1. Please, behave securely, have some tea and
  antivirus installed, don't tell anybody your
  PIN. Update you system and browser regularly.
  Now, proceed to log in.
2. [Login doesn't work]
3. In order to use this site, please allow JavaScript.
4. [Login doesn't work]
        5. DAMN1 ALLOW jAVAsCRIPT111[1]
6. [Stupid user allows JavaScript globally]
5. Profit!

[1] Caps-Lock pun indented ...

Re:How does this change userland?

[tepples]

If you're slightly paranoid like I am, how would you know to trust the provided list of "trusted script serving sites"?

The web server is telling you a list of sites that it trusts to serve scripts to be run in its pages.

SPF for JavaScript

[The+Yuckinator]

On the surface this sounds like a great idea. Sort of like SPF for JavaScript. Of course I'm sure that more knowledgeable folks than I will do their best to poke holes in it. I guess the other browsers will just ignore this unless of course they jump on board and implement it too.

Re:SPF for JavaScript

[the_other_chewey]

I guess the other browsers will just ignore this unless of course they jump on board and implement it too.

Exactly. Also, it will rain tomorrow. Unless it doesn't.

FF Vs IE again?

[ItsPaPPy]

Seems like they are trying to compete with IE http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx But on http://sla.ckers.org/ circumvention has already been found. XSS will always be around, because of dumb coders trying to re-invent the wheel, yet again.

Cost vs. Benefit?

[spydabyte]

If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'

The author gave the best reason for not implementing this.

The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.
Which would you take, the option which delays production for a week, or the option to just hit "next"?

Re:Cost vs. Benefit?

[hedwards]

Of course it doesn't. For the most part sites that are vulnerable aren't made to pay for the damage that their lack security has caused. If we forced sites to pay for their mistakes, that would change things really fast.

The TD Ameritrade settlement for instance was an absolute joke, they ended up losing a lot of personal information and then they ended up with a slap on the wrist. It's not going to be cost effective for organizations to secure their sites as long as they're free to pass on the cost to the end user.

Re:Cost vs. Benefit?

[Simetrical]

The author gave the best reason for not implementing this.

The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.

Well, I don't know. I'm a MediaWiki developer, and I can pretty much guarantee you that Wikipedia will use this, and that MediaWiki will support it. If you mean some random corporate website copy-pasted through sixteen iterations of hacked-up code dating back to 1994 won't use it, then sure, maybe not. But you can bet that some of the top websites will.

One of the coolest features is that you can specify a URL for the browser to report violations to. That way you can catch bugs in your policies without relying on user reports, and you immediately learn of any attacks on your Firefox users so you can fix them quickly for your non-Firefox users.

Article on this and related technologies

[seifried]

Shameless self plug: I wrote about this in my column: Web security - Protecting your site and your clients in September of 2008 and I'm VERY glad to see this is moving forwards as it means I (as a site owner) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive (that's the key!). The thing I really love about this is if your clients don't support site security policy, things still work, and if your browser supports it but the remote web site doesn't, things still work, but if both ends support it you get a nice added layer of protection. What would be really wild is if Microsoft added support for it, although "not invented here" they have been making efforts to protect users from XSS attacks in IE8 with mixed success, so who knows. You can do similar things with mod_security potentially and outgoing filters but it is nowhere near as simple as site security policy should be to deploy (hopefully).

Re:Article on this and related technologies

[michaelhood]

I (as a site owner) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive (that's the key!).

Unless your users run something besides Firefox.

If MS did this we'd all be crying about how this isn't sanctioned by W3C, and it's "embraceandextend" (tag?).

Re:Article on this and related technologies

[node+3]

If MS did this we'd all be crying about how this isn't sanctioned by W3C, and it's "embraceandextend" (tag?).

Extinguish.

It's Embrace, Extend, Extinguish. That last E makes all the difference in the world.

Use a file?

Instead of making me modify each file to send that header/meta tag, why not make it like the flash security files and just have a file in the root directory.

Re:Use a file?

[EvanED]

Oh, please don't do that. Don't assume that we have rights to that directory. I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.

Re:Use a file?

[seifried]

You could simply use .htaccess and restrict based on user agent. Ugly, lots of over head (request = hit .htaccess), but it would work (at least for polite robots, but this is also true of robots.txt).

Re:Use a file?

[EvanED]

Ugly, lots of over head...

And requires me to figure out the useragent of either every browser out there (to allow) or every bot out there (to deny). At least, as far as I can tell.

Re:Use a file?

[jonbryce]

And can you be sure you have all the legitimate user agents?

Certainly ie, mozilla, safari, chrome and opera will cover most of the desktop / laptop user agents, but what about all the obscure browsers used on phones and other mobile devices?

Re:Use a file?

[seifried]

No, just block the common ones (googlebot and yahoo slurp are the majority of it). If you're actually trying to protect this content then you need to password protect/etc. it, robots.txt is not the way to prevent exposure. As well you could also use the meta tag in HTML documents:

meta name="robots" content="noindex"

But I agree, robots.txt is far less painful and much quicker. Thing to remember as well when robots.txt was invented the web was a much simpler place and everyone online was pretty much skilled in the art by definition.

Re:Use a file?

[michaelhood]

Oh, please don't do that. Don't assume that we have rights to that directory. I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.

You can do everything that you do with robots.txt via robots meta tags and streamline their inclusion with some server-side scripts if so desired.

Re:Use a file?

[michaelhood]

Ugly, lots of over head...

And requires me to figure out the useragent of either every browser out there (to allow) or every bot out there (to deny). At least, as far as I can tell.

No, only "bots" (spiders, nowadays) actually check robots.txt, per the RFC. User-initiated requests don't/shouldn't (no browser I've ever seen) do not request/parse robots.txt.

Re:Use a file?

Which would be a relevant comment were they not talking about .htaccess files rather than robots.txt

Old Standard to Prevent All Attacks

[sexconker]

Don't let other people serve content via your site.

Don't rely on shitty plugins from security failures such as Adobe.

Don't depend on user-generated content, since it's shit. If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.

Don't sign up with a shitty registrar who will transfer your domain/dns/mx records to some slut like godaddy at the drop of a hat.

Don't give people the password to your account at your host/registrar, and don't give people access to your fucking ftp/ssh/direct/etc. accounts for your server.

Re:Old Standard to Prevent All Attacks

[Red+Flayer]

Don't depend on user-generated content, since it's shit. If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.

Hey! It doesn't need to be plain ol' text.

As a theoretical, it could be hamstrung html that pisses off some users by not recognizing UTF-8 in order to prevent malicious posting.

Or something. I'm sure we could figure out a decent implementation.

Re:Old Standard to Prevent All Attacks

[seifried]

Don't let other people serve content via your site.

Problem is that security flaws such as cross-site scripting (XSS) allow exactly this (insert arbitrary HTML/JavaScript into the page which is then rendered by the client browser.

Re:Old Standard to Prevent All Attacks

[buchner.johannes]

Don't host a website or put data on the web?

Don't use computers?

Re:Old Standard to Prevent All Attacks

[EvanED]

Don't depend on user-generated content, since it's shit.

Says the person providing user-generated content to a site that depends on it.

Re:Old Standard to Prevent All Attacks

[jonbryce]

Don't depend on user-generated content, since it's shit. If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.

I suggest you resign from Slashdot as soon as possible then ...

Re:Old Standard to Prevent All Attacks

[sexconker]

Why is this modded troll?

99.99999% of attacks are the result of:

Malicious ads and clickthrough "offers" after a sale is processed
Vulnerabilities in PDF, Flash, etc.
Malicious content uploaded by users (javascript, sql injection, malformed jpegs, what have you)
Domain hijacking
General "LOL I GOT UR PASSWORD" shenanigans

Re:Old Standard to Prevent All Attacks

[glenstar]

And moronic users. Don't forget the moronic users!

Re:Old Standard to Prevent All Attacks

[Runaway1956]

Sexconker is modded a troll - quite unfairly. Cross site scripting sucks. Simple as that. I go to a site, first thing I see is noscript's popup message that anywhere between 2 and 20 sites want to run scripts in my browser. I click the popup, to see WHO wants to run scripts. Sometimes, it's easy to see who wants to do what, and deciding to allow site a, but not site b is quite simple.

Often enough, it's just not that simple. I want to see some stupid flash presentation, and the only way to see it is to enable flash. Unfortunately, three different sites are offering a flash. Which one do I want? I choose one to be allowed, and I get rickrolled.

That is hamshite. Nothing more, and nothing less. The original site should be hosting it's own material, or they should supply the link to see the flash presentation. Cross site scripting is a ripoff that just helps to confuse the security conscious. And, God knows there are far to few users who are conscious. (I'd like to see a scientific poll that demonstrates just how many users really are brain dead - it has to be over 20%, and might be over 50%)

Re:Old Standard to Prevent All Attacks

[sexconker]

Yeah, I love the (relatively) new one where you have to allow javascript from some skank ass ad server to see the flash file.

They cram an ad in before the flash file actually starts to load, and you have to watch it. Some sites let you just wait and then serve up the flash anyway (they assume the ad shithouse is down at the moment, or something went wrong after the ad played), but you've got to sit and wait and watch a black square for 30-60 seconds.

So to see the flash, I've got "Temporarily allow all this page". In fact, I find myself doing that to get most sites to just fucking work, and it disgusts me.

Re:Old Standard to Prevent All Attacks

[sexconker]

Moronic users are victims.
Unless you're talking about the special type of moron who will somehow mash their keyboard and enter LOL'); DROP TABLE USERS;

Re:Old Standard to Prevent All Attacks

[glenstar]

I hate those users! I protect myself in all of my applications by checking for the name "Little Bobby Tables". That kid is TROUBLE!

Some History

[eplawless]

I know there's been a lot of dialogue between the authors of SOMA, which predates this, and the Mozilla team; it might provide some interesting context.

You're doing it wrong

[XanC]

If you're having to modify individual files to set HTTP headers, you're doing it wrong. Also, polluting sites' namespaces (even worse than they already are with robots.txt/favicon.ico) is a bad idea.

But then, you already betrayed your cluelessness when you revealed that you put Flash on the Web.

Re:You're doing it wrong

[seifried]

I think you replied to the wrong posting.

Re:You're doing it wrong

I didn't say I used flash did I? I just used the flash file as an example.

Re:You're doing it wrong

[XanC]

...why?

Re:You're doing it wrong

[michaelhood]

But then, you already betrayed your cluelessness when you revealed that you put Flash on the Web.

Yeah! Damn their highly-adopted prescient, open security model and their 99% global penetration! Get off my lawn!

Re:You're doing it wrong

[tepples]

But then, you already betrayed your cluelessness when you revealed that you put Flash on the Web.

Then which widely used web browser supports SVG+Ogg+SMIL, the free alternative to SWF?

Headline: Google other ad publishers revenues drop

[rescendent]

Presumably the millions of adsense and publishers will have to enable their sites to maintain adverts..? Might hit google revs a bit...

The XSS FAQ

[mrkitty]

The Cross-site Scripting (XSS) FAQ http://www.cgisecurity.com/xss-faq.html

This is great for Firefox users...

[randomnote1]

What about IE, Chrome, Opera, and Safari users? As of now this solution only benefits a small portion of users. I don't see this being widely implemented at all.

Re:This is great for Firefox users...

[hansamurai]

Well, if Firefox users find it effective, then other companies will follow suit. It's just a standard Mozilla is adopting, though it seems to have been defined in house, that won't stop anyone else from using it.

Re:This is great for Firefox users...

[Vectronic]

IE has an XSS Filter... I don't use IE enough to have bothered to investigate it though, otherwise Opera, Safari, Chrome, don't seem to be doing anything special about XSS, at least not advertising it, other than patching their own vulnerabilities against a few known methods.

Re:This is great for Firefox users...

[Rangataua]

Eric Lawrence has already blogged on the IE Team blog in support of this approach: http://blogs.msdn.com/ie/archive/2009/06/25/declaring-security.aspx so it is possible that CSP will be adopted more generally.

Re:This is great for Firefox users...

[dveditz]

Even if this was never implemented in any other browser sites still benefit through early detection of active attacks. If your site implements a security policy with a report URI then every Firefox visitor will be conducting a passive security scan on every page they visit, at least for the types of security problems CSP targets (primarily XSS).

A step in the right direction

[Ambush+Commander]

The first trap you will fall into thinking about this is that it should be the end-all security policy, and will solve our problems. It won't. That's not the intent, and also impossible given our diverse browser ecosystem.

The ability to tell the browser, via out-of-band, non XSS-able information, that certain scripts should not be executed, however, is a very powerful defense in depth measure, and makes it one step harder for attackers to make an attack work.

Security is a war of attrition. Bring it on.

NOT a standard

[Curate]

The summary is wrong, this is NOT a standard in any way, or even a proposed standard. This is a proprietary security feature being introduced by Firefox. I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might). But it is not a standard.

Re:NOT a standard

They explain how it works and it's open source. How can you call that proprietary? Maybe it hasn't passed through a standards body, but that doesn't mean it can't be freely implemented for any other browser.

Re:NOT a standard

[Curate]

Sure, they've published the spec, but that doesn't make it non-proprietary. Is it controlled by Firefox or by a neutral standards body? There are lots of analogies to this. e.g. Microsoft has openly published the SMB spec, yet they control it; it is proprietary. Or maybe we have different interpretations of the word "proprietary"? In any case, I did not mean to emphasize the word "proprietary" or any connotations that word may evoke. I used that word in my post but it wasn't the main point of my post. My main point is that this is a not a standard. Calling this new feature a standard actually dilutes the meaning of the word "standard". Can we just call almost any new feature a standard?

Re:NOT a standard

[Ant+P.]

Are you calling Javascript proprietary? Or are you claiming OOXML is an open standard?

Re:NOT a standard

[Simetrical]

The summary is wrong, this is NOT a standard in any way, or even a proposed standard. This is a proprietary security feature being introduced by Firefox. I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might). But it is not a standard.

It's not a standard, but it's not proprietary either. Proprietary means "owned by someone". Perhaps the term you're looking for is non-standard or vendor-specific.

Standard?

[pablodiazgutierrez]

More than a "Firefox standard", it seems to me that this is an extension. I'm all for it, but let's call things by their name.

Re:Standard?

If we can have "site's" in the summary when neither a possessive nor a contraction applies, then might as well throw in a misnomer too.

Yea. they are free. right.

[unity100]

just like they have forced the 'humongous, scary ssl warning error' instead of the previous acceptable and understandable error message. it forced a lot of small businesses who used the certificates they themselves signed to buy 3rd party certificates from vendors. again with this change, all small businesses will have to spend more on web development charges, because most end users will set their firefox to the prevent setting for this new feature. the 'free to do business is usual' bit is bullshit. remember, say the word 'security', and you can even sell wars to people. so dont feed the 'free to do business as usual' bullshit to anyone.

one thing that is most damaging to us open source crowd is being too self righteous and jacobin. it starts to hurt us again as time passes and projects develops. this time its happening with firefox.

Re:Yea. they are free. right.

[netsharc]

Your last paragraph reminds me, hey Firefox is open source, let's just fork it!

Re:Yea. they are free. right.

[maxume]

It will default to off. Defaulting to on would mean that offsite images would no longer load (nor would any content that is pulled from a CDN).

Re:Yea. they are free. right.

[ZorinLynx]

Anyone doing business should have a legitimate SSL certificate for the site and not use a self-signed certificate. Anyone using a website should be wary of any business site using a self-signed certificate.

Self-signed certificates are okay for personal servers where you know you or a friend signed the cert, but if you're doing business it is a VERY BAD IDEA to use or trust self-signed certs. Firefox's behavior is correct in this regard.

Re:Yea. they are free. right.

[Jubilex]

Speaking as an admin, I've seen way too many end users click through certificate warnings for self-signed certs without understanding what they are doing. Firefox is doing the right thing (and now that IE 8 is doing something similar, I'd say they aren't the only ones who think so.)

Re:Yea. they are free. right.

Sigh. With a self-signed certificate, there is no guarentee that you have an encrypted session. Hint:

Client Malicious Proxy Server Webserver

Nothing stops the Proxy from terminating the SSL connection, logging the (now decrypted) traffic, and then starting a new encrypted connection to the Webserver.

But if the certificate has to be signed, the Malicious Proxy cannot terminate an encrypted connection pretending to be from the Webserver, as it will not have a certificate that can be used to impersonate the webserver.

Re:Yea. they are free. right.

[tepples]

With a self-signed certificate, there is no guarentee that you have an encrypted session.

If you click accept, and then a man-in-the-middle starts intercepting traffic, the key's fingerprint won't match the one for which you clicked accept. That's how update signing works on Mac OS X: it has to be signed with the same cert as last time, not necessarily a cert issued by VeriSign. Of course, this won't work if a man-in-the-middle has always been intercepting traffic.

RFC?

[Midnight+Thunder]

Is this 'standard' endorsed by anyone else or written up as part of an RFC? Calling something a standard when you are the only guys doing sounds like a certain company that was started by Bill and Paul.

I am not trying to troll here, since I am all for the solution, I am just ensuring that this properly documented and shared by the right entities (think W3C).

Re:RFC?

[Midnight+Thunder]

I should have the read the article first, since no where in the article do they mention the word 'standard'. When they do decide to make it happen I do hope the submit the proposal to the right organisations, as to avoid making this a one browser standard.

Re:RFC?

[blair1q]

Bill and Paul made about $100 billion and their bugs have become the standard that most "standards" can't dislodge.

Anyone can proclaim a "standard", recall what "RFC" stands for? It's not "peer-reviewed and passed by governing bodies."

If Mozilla is saying this is how they're building it into the code base, W3C can ignore it, but it's W3C who won't be compatible with what is standard.

Re:RFC?

[Joe+Jay+Bee]

I was thinking the same thing. If this was Microsoft, Apple or even Google claiming a "new standard" based on a feature only they've adopted (and even created) they would quite rightly get chewed out. The only way something anyone does alone (especially if they're still the minority in terms of market share) could be considered a "standard" is if your attitude to language is exceptionally flexible.

Break Bookmarklets?

[zmnatz]

Just wondering, wouldn't this break a lot of bookmarklets since they are essentially javascript being run from a different location on the site. Correct me if I'm wrong (I probably am). Just wondering

Massive Overkill

[butlerm]

This proposal looks like massive overkill to me. Implementing the restriction on inline script tags is equivalent to saying - our web developers are incompetent and naive and cannot be trusted to take basic security measures, so we feel making our web development practices more cumbersome and inefficient (if not impossible) is a healthy trade off.

A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages, so that user entered html could easily be accepted under certain restrictions. Most web logs do this already.

Alternatively a less draconian solution would be to allow inline scripts to execute if the script tag includes a response specific serialization value that is also present in the HTTP headers. 64 bit values would make forging a inline script essentially impossible, because there would only be a 1/2^64 probability of a subsequent accidental match.

Re:Massive Overkill

[v(*_*)vvvv]

our web developers are incompetent and naive and cannot be trusted to take basic security measures so we feel making our web development practices more cumbersome and inefficient (if not impossible) is a healthy trade off.

The real question is, can YOU trust your web developers? And is this really that more cumbersome and inefficient than every other measure? It's just another tag. In fact, it is *just* a tag. It is also in the source of the problem - the web browser. You could argue everything else is a workaround, and finally we are getting help from the people responsible for inventing the problem.

A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages

Yes, except, this is not easy, it is already being done, and it isn't quite working.

If one tag could eliminate the risk of external scripts running on my pages, I am all for it. Of course, this only works with firefox, so it is actually quite meaningless. Hackers can just fire up a different browser, so the number of hackers this will stop are exactly ZERO.

Re:Massive Overkill

[butlerm]

It is not "just a tag" - it is a header that enables a mandatory restriction on inline scripts in addition to selective restrictions on other elements. And if you have incompetent web developers for a public facing site, you are likely to have much more serious problems than unfiltered user content.

One of the serious problems with this is many applications dynamically generate javascript on the fly. The only way to handle that under this specification would be to generate lots of little temporary files that the browser requests on the second pass. Besides the bizarre devlopment style this requires, the performance problem with such secondary requests is a serious problem, due to turnaround latency.

Speaking of which, HTTP should be extended to allow web servers to push expected inline requests for script files, images, and frames (up to a reasonable limit and under reasonable constraints) into the web browser in-memory cache to eliminate the turnaround latency associated with such follow on requests. i.e. the browser in such cases would be able to fulfil such requests immediately from the cache because they would already be there by the time the web browser had finished parsing the page. [Note: portions of this posted as AC below]

Re:Massive Overkill

You can't blame the web developers for everything on this one... XSS attacks get into pages from many routes. Here's the first three that come to mind: SQL injection, automated hacking script suites, virus compromised servers (eg, Fujacks family).

So, I see limiting domains that are allowed to run scripts as a good idea. It may prove difficult to stop attackers that can already inject content into your pages from modifying the server config so that the their injected scripts are now from allowed sources. But at least it's another barrier against a successful attack.

Re:Massive Overkill

[arndawg]

Hackers can just fire up a different browser, so the number of hackers this will stop are exactly ZERO.

It's not about stopping hackers from running these scripts. It's to protect the users if a hacker have managed to insert a remote script via a form on the webpage. It protects users running firefox if the site have implemented the tag.

Re:Massive Overkill

[Ant+P.]

Hackers can just fire up a different browser, so the number of hackers this will stop are exactly ZERO.

If you're that ignorant to how XSS actually works, then no amount of browser-based security will save you.

Re:Massive Overkill

[butlerm]

SQL injection is universally due to a web development problem. The others you mention are either system administration or development problems as well. If you have someone injecting arbitrary SQL, script injection is the least of your problems.

I agree that if you employ lots of inexperienced developers who can't follow documented security practices or have no higher level code reviews, and you are working on a new application, this might be worth it despite the enormous performance penalties and development difficulties.

Normal applications format all text as HTML on generation - script injections are impossible. The *only* people who have a problem are those who display arbitrary user submitted HTML without validation. And how many applications do that? Web logs?

Re:Massive Overkill

[v(*_*)vvvv]

So only FireFox has this feature to stop XSS attacks. If this feature is bothering me, then how is resorting to IE or a different browser not a workaround? That is all I am saying.

Re:Massive Overkill

[v(*_*)vvvv]

Right. If a hacker plants a script that is then embedded in the content that visitors of the page execute, then users using FireFox will be protected, and this is not a browser selection problem.

I am referring to the other scenario though where hackers try and run code for themselves. Or maybe no one does that anymore.

Re:Massive Overkill

[Ant+P.]

Why would you choose to switch to an insecure browser??

Re:Massive Overkill

[arndawg]

What are you talking about? Running client-side java script is not something that will do a hacker any good. Or are you talking about changing the source-code of the website itself? If so, then that's a completely different matter.

Re:Headline: Google other ad publishers revenues d

[RalphSleigh]

Obviously if a site does not contain one of these headers it will default to allow from all. Also called not breaking the whole internet with your new browser feature.

eBay and MySpace?

[POWRSURG]

CSP is effectively server-side NoScript. And it isn't exactly new either. This has been in development as a Firefox extension for at least a year. The article mentions it being first crafted back in 2005.

The issue I take with this article is that they suggest this feature could even possibly be integrated into eBay or MySpace. These two giants seem like the exact opposite type of market that would use this -- any site that allows users to post their own data is not going to possibly survive the wrath they would catch if users had to explicitly allow the domains they want scripts to run on. For a corporate Web site yes, but for something for the masses or those of us that run a CMS? I don't see that as happening anytime soon.

Re:eBay and MySpace?

[kill-1]

Apparently, you have no idea what XSS means. Neither eBay or Myspace allow the execution of user-provided scripts for obvious reasons. Given the market share of Firefox, the big sites will implement CSP pretty soon.

How do you code without any inline scripting?

How would you pass parameters to scripts? How would you do AJAX or DHTML stuff based on realtime data? I suppose you could wrap everything in semantic classes and data attributes containing JSON, hell even Javascript, and then include an external script that evals them all. Inline scripting through the backdoor. Is that what they want us to do? Or have an extra Javascript file with every HTML file?

Umm...

Why would anyone run cross site scripts *now*, except in clearly white-hat uses?

PLEASE GOD NOOO! ;)

[Hurricane78]

Please don't let this become the same horrors, that it is with plugins.

If you ever tried to add a applet or anything embedded into a site, that came from some other domain (like a mp3 stream), you will know what I am talking about.
It just gets blocked, except if you have a signed certificate and other shit, that you can only get for money. And then it is still a huge mess to set up.

In my eyes this stifled web technology quite a bit.

Additionally, what do you do, when you yourself have several domains and subdomains? Like a global domain for common things, like the base stylesheet and script libs, and a local domains, that use them. Etc.

It's good to make this safe. But it absolutely must be done right. Or else, there will be a giant mess. :/

XSS (Cross-Site Scripting) definition?

[jc42]

So is there an official definition of "Cross-Site Scripting" somewhere? Since that phrase started to be used in scary security stories a few years ago, I've been collecting the definitions that various stories provide, and I've been a bit disappointed. Mostly, they aren't even "definitions", in the usual dictionary sense of the term. I.e., I can't use most of the purported "definitions" to decide whether what I'm looking at is an instance of the phrase. And in general, no two stories or sites seem to use similar definitions (when they actually give definitions at all).

My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".

So has some official organization defined the phrase? If so, what makes them an authority? And is there some way that I can tell when someone is using the official definition (if such exists), or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem?

I note that the definition associated with TFA isn't actually a definition. And several other postings here have linked to sites that also give ambiguous non-definition definitions.

It sure seems there's something being talked about here, but it seems to suffer from the usual problem with security authorities, that they view me as an idiot who doesn't need to be informed about the subject matter; I only need to be scared (presumably so that I'll pay them to fix something that they've carefully made sure I can't understand clearly).

I'd think that security is an area where you'd want to be careful with your definitions and terminology. But apparently I'm wrong.

Re:XSS (Cross-Site Scripting) definition?

[TheRaven64]

My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".

Cross site scripting is exactly what it sounds like; running a script from one site in another site's security sandbox (i.e. scripting across sites). The script tag allows scripts to be loaded by a page from any site. These scripts then run in the same namespace and sandbox as any other scripts on that page. It's basically the web equivalent of an arbitrary code execution vulnerability. It isn't quite as bad as the client-side version, because there is (in theory) no way of escaping from the sandbox that the browser constructs from each site.

If you don't properly sanitise user-provided data then it's quite easy[1]. Imagine, for example, that Slashdot allowed arbitrary HTML. If it did then I could put a script tag in this post referring to a script in my domain. Your browser would then load this script and run it as if it were provided by Slashdot. If you enter your password, I could harvest it. Even if you don't, my script could send HTTP requests to Slashdot with your login credentials and post spam. If you've entered personal information in your user profile, I could harvest this.

You probably don't have any private information on Slashdot, so it's not a particularly attractive target for identity theft, but the large number of page views means that it might be useful for spam. Imagine, for example, a cross-site scripting vulnerability being used so that everyone with excellent karma who went to the Sony story posted something written by Sony PR.

For sites like eBay, it's much more important. These sites have full names, postal addresses, and often credit card numbers. If I can run a script in their pages' sandbox then I can access all of this information as the user enters it.

This idea is for each domain to provide a whitelist of domains that are allowed to provide scripts (or other resources). If I persuade eBay's code to load a script from my domain then FireFox can check my domain name against the list published by eBay, see that it is not there, and refuse to run the script.

[1] This isn't the only way of persuading a site to load your scripts, but it is the simplest to explain.

Re:XSS (Cross-Site Scripting) definition?

[jc42]

Well, yeah; I've done lots of web scripting, and I get all that. I've even written demos of the dangers, usually to try to impress on others (such as managers) why it's a potential threat to users. This hasn't usually been too successful, as shown by the fact that those people usually continue to run their browsers with scripting enabled.

My question wasn't about how you write web scripts. My question is why you'd add a modifier like "cross-site" to it. Defining it as a script on one machine (the server) which runs on another machine (the client) adds no information, because that's how almost all web scripting works. I added "almost" because there is the special case of a developer testing web stuff by accessing it from a browser on the same machine, something I do all the time, but which isn't the usual use of a web browser. In the other 99.999% of the cases of "scripting" with a browser, the code is downloaded from a remote server and run by the browser. So adding an adjective that describes this case isn't imparting any addition information to the usual case. It does mislead readers who think you're talking about some dangerous special case.

To use the canonical automobile analogy: It's as if auto companies were to start talking about "road-drivable vehicles" as if this were some special feature. Yes, there are off-road vehicles. But "road-drivable" is the usual, default use of an auto, so adding an adjective for that case is at best silly, and at worst confusing to the reader, since it's an attempt to convince them that there's something special about the vehicles you're talking about. Imagine a claim that "Road-drivable vehicles are a threat because they can collide with your car or pedestrians and cause injuries." Well, yeah; as if anyone with a grain of sense didn't know that. The "road-drivable" modifier is nonsense, because it's describing the normal use of most vehicles, not some special sort of vehicle. And buying an off-road vehicle doesn't lessen the danger, especially if you drive it on a road.

Since the normal use of scripts with web browsers is to copy a script from the server to the browser and run it on the client's machine with data from both machines, adding a modifier that just says that two sites are involved is the same sort of silliness. It's adding an adjective that describes the usual, default case, which at best is just a waste of syllables. At worst, it misleads the reader by implying that you're talking about some mysterious special case. This isn't a spurious objection; reading discussions about the topic make it clear that most people don't understand that all scripting in web pages is a potential threat (just as all vehicles on a highway are a potential threat). This is why most people with a grain of sense run browsers that include NoScript or some similar capability such as turning scripting off entirely.

The problem with the above auto analogy, of course, is that most people understand that other vehicles on the road are a threat. But most people don't understand that downloading code from another site and running it is a threat to their computer. Their ignorance isn't helped by using any empty adjective when talking about "scripting" (another word that most people couldn't define). The way to help them is to get across the fact that all downloaded code is a threat, so they should make sure that any "scripting" tools that do that are disabled. The danger doesn't come from some special thing called "cross-site scripting"; that's just weasel wording designed to obscure the fact that all downloaded code is the same sort of threat.

Anyway, I'm still looking for a definition of "cross-site scripting" that explains why people are using that phrase rather than just "scripts". Or maybe just "code", since any web page that sends executable code is exactly the same sort of threat (if the client's browser is configured to run it).

Re:XSS (Cross-Site Scripting) definition?

[TheRaven64]

Ah, I see the problem. You can't read. Let's go back to my post. I said:

Cross site scripting is exactly what it sounds like; running a script from one site in another site's security sandbox (i.e. scripting across sites)

You somehow read this as:

Defining it as a script on one machine (the server) which runs on another machine (the client) adds no information, because that's how almost all web scripting works

Note the difference between your definition and mine. My definition (shared by everyone else) involves three computers:

• Computer 1 serves the page (site 1).
• Computer 2 serves the script (site 2).
• Computer 3 is the client and runs the script from site 2 in the security snadbox for site 1 (i.e. it is a cross-site script).

If site 2 is not operated by a trusted party, then this is a cross-site scripting vulnerability. Your definition involved two machines, a server and a client. Some instances of cross-site scripting, where site 2 is trusted, are benign (for example, Slashdot uses Google Analytics, which fetches a script from Google). Others, where site 2 is not trusted, are cross-site scripting vulnerabilities. I am not sure if I can explain this in any simpler way.

Or have I just been trolled?

Re:XSS (Cross-Site Scripting) definition?

[jc42]

Ah; I see! I'm not running my browsers in any sort of "sandbox", so obviously cross-site scripting can't affect me.

Right?

This is how most people would understand your explanation, after all. ;-)

And I suppose I sorta intended my comments as a "troll". That is, I was trying to prod people into explaining what they were talking about, rather than just using vaguely-defined phrases without explaining them. To most people, such prodding is trolling. As I said, I've collected a lot of purported definitions of "cross-site scripting", and what stand out to me is that no two of them are compatible. Maybe yours is the right one; I can't tell. What makes you the authority whose definition should be used against the other purported authorities who give incompatibile definitions? Ordinarily I don't question people's credentials here, but where there are competing authorities criticising me (implicitly or explicitly), I think it's a reasonable thing to do.

If this is trolling, so be it. What I see is the conventional arrogance of the self-described security experts who (often quite intentionally) write so that not even ordinary computer geeks can get a clear idea of what they're warning us against. So I'm probably violating all sorts of security rules or guidelines, as are the rest of the computer-using public, but it's because the security folks are (often quite intentionally) keeping us ignorant.

What a lot of us would like to read is a good way of telling whether we're doing the wrong thing, and how to do it right. In this case, since the definition of the purported dangers apparently requires that I be running my browser in a "sandbox", and I'm obviously not doing that, it would be reasonable for me to ignore the issue as not being relevant to me. I'm fairly sure this isn't the correct conclusion, but that's the skeptical computer geek in me talking. If I read the discussion wearing my "mere human" hat, I have to dismiss it as an obscure technical thing that doesn't apply to me or my computers.

Re:XSS (Cross-Site Scripting) definition?

[jc42]

Note the difference between your definition and mine. My definition (shared by everyone else) involves three computers:

Actually, that's not shared by quite everyone else. I just followed the link in another post, to the cgisecurity.com site's FAQ. I should perhaps remark that I was rather embarrassed to read some of what's there. But note that it's from a company that is clearly pushing itself as an expert on web security.

If you read the "What is Cross Site Scripting?" section, you'll probably have a hard time pointing to anything that mentions three or more computers. I don't read that anywhere in the paragraph. Later on, there are a couple of sketchy example that would probably involve three machines, but even then, it's not clear that that's a critical detail. What does seem clear is that they aren't presenting a 3-machine setup as a significant part of what they're defining.

Also, the string "sandbox" doesn't occur in their FAQ. In fact, not even "san" was found by firefox. So their definition doesn't require 3 machines or a sandbox.

Actually, their "definition" is rather remarkable for its vagueness. I suspect that this page was written (or more likely, re-written) by marketers and/or tech writers who don't understand the topic, and probably don't care to. But that's beside the point, because this is the FAQ on "Cross Site Scripting" [their capitalization] of a company whose business is web security. What they have on that page is what they present to visitors as how they understand and define the topic.

This is yet another entry in my list of incompatible definitions of the phrase at hand. I think that the phrase has been co-opted by the marketers, sorta like "virus" and "hacker" and other scary-sounding technical terms. So, while we can talk about it all we like, chances are that the folks reading slashdot all have their own definitions, most of which are as confused as this one. And we'd have a lot of trouble finding two definitions that are even close to the same, even from people presenting themselves as web-security experts.

It reminds me of Bertrand Russell's famous description of mathematics as a subject in which "we never know what we're talking about nor whether what we're saying is true". That's a fun quote to bring up when people are discussing whether Computer Science is a branch of mathematics. If it really were, then we CS types should be happy to embrace (and extend) Russell's characterization.

Re:XSS (Cross-Site Scripting) definition?

[TheRaven64]

Actually, that's not shared by quite everyone else. I just followed the link in another post, to the cgisecurity.com [cgisecurity.com] site's FAQ. I should perhaps remark that I was rather embarrassed to read some of what's there. But note that it's from a company that is clearly pushing itself as an expert on web security.

I just read this definition and, while it's badly-written, it describes the same thing as me. The first half is waffle, but the second half is a round-about description of the phenomenon. The problem with this definition is that it's trying to be simple, but it's doing so by avoiding technical descriptions which can be just plain confusing when describing technical systems. My description, in contrast, was written on a site for nerds, so some technical experience was assumed on the part of the reader.

Every other description of the phenomenon I've read describes the same thing, with varying levels of quality. The top hit on Google is the Wikipedia page, which has a relatively clear definition. I suspect, given how badly you managed to misread my description (e.g. thinking it a client and a single server when my first sentence described two servers) that your reading comprehension is the problem.

But I want and need X-site scripting!

[kanweg]

I'm a bit out of my league knowledge-wise here, but in my company I have a company web application that would benefit very much from being able to do something in the window of another site. Why can't a browser (not the web app) be set to very specifically allow a particular web application to make use of another specified website. E.g. that would allow me to fill out a form with data from the web app or vice versa to get data into my MySQL database without having to fill out the data manually, which is error-prone. Because it is a browser setting where both domains are set to specifically interact with each other, I don't see how it could be used to do anything malicious, but it would help web apps enormously.

Bert

Re:But I want and need X-site scripting!

[LDoggg_]

You can do cross site scripting right now using JSONP. Basically include a script with a callback function name and run an eval on the response. The object you really want as a response is placed in as the parameter to your callback.
It's extremely useful when you are able to trust the other host.

However, if you don't trust the other host, you shouldn't be including their script in the first place. Because that script may contain something like a javascript function to send the cookies of the first domain to someone else.

It's pretty straightforward on how to secure the stuff, but we'd be a lot better of if browsers had a native evalJSON() function instead of just an eval(). That way we'd know we're just sending back objects instead of executing arbitrary code.

Next step

[chrysalis]

Next step: educate PHP users so that they have a clue about security?

Re:Next step

[Ant+P.]

How about first getting the PHP developers to add a sane and logical way of sanitizing HTML.

"Disable JavaScript"

[Waccoon]

Well, it's about time somebody does something. For years JavaScript has been an on/off affair, and it's been driving me nuts both as a web surfer and a developer.

They can do whatever they want for Joe Average to ensure advertisers won't complain, but please, can I have the ability to allow scripts to run only from the same domain as the originating page? Please? Just a simple checkbox will do, thank you.

Re:"Disable JavaScript"

[Dan541]

Your suggestion is absurdly logical, hence it shall not pass.

Why do all the good ideas get by-passed? Is it some sort of "nerd pride", that we must never do things the easy way.

Re:"Disable JavaScript"

[Ant+P.]

There are decade-old Bugzilla bugs for this feature. It gets ignored purely because of money - Google gives Mozilla a huge chunk of change and in return they prevent users from having (by default) the ability to block AdSense, and set the default page to a google search box.

Microsoft has no such dependency on advertisers, which is why they had no inhibitions to adding a JS whitelist/blacklist (via its security zones) over 10 years ago. The rest of the browser is shit, but that's just MS software for you.

Makes me wonder if money was the reason for killing MNG off and replacing it with a stillborn format...

This is useless

Adobe did the same thing to prevent actionscript cross site scripting. This bothered everyone, and now you have security.allowDomain = "*"; all over the internet ....

Then isn't this feature nonsense??

[Burz]

The page from the primary domain refers to scripts on those other domains as a matter of trust. If CNN doesn't trust a domain's scripts, then they won't refer to them in the first place!

OTOH if the http connection is being attacked (say from an infected system on the LAN) and references to bad domains are being injected, then that could be a real problem but not one that is solved by this new feature. Only https would prevent this attack.

Properly constructed sites function without XSS

[Medievalist]

Slashdot is currently pushing js from c.fsdn.com.

And I'm not running any of 'em. And I never have.

You have it right.

[Medievalist]

Am I misunderstanding the description of this extension, because to me this sounds exactly like what it does. You enable scripts from domains you specify. Thus, no javascript injections or form hacking will get a page to retrieve foreign scripts without the attacker being able to physically alter the document.

If you are talking about noscript, yes, that's exactly how it works. The UI is simple enough that my 9-year-old uses it without problems. It cannot really be used by anyone who does not understand the difference between code and data, though.

The difference between noscript and this idea is simple:

    Noscript - you decide who you will trust.

    TFA - whoever hacked the site you are visiting decides who you will trust.

No-brainer from where I'm sitting. But for people who are not knowledgeable enough to browse safely, and who need to (or insist on) browsing anyway, this would be a step in the right direction.