Re: A technique to mitigate cookie-stealing XSS attacks
From: David Wagner (daw@mozart.cs.berkeley.edu)Date: 11/08/02
- Previous message: Thomas Sarlandie: "Re: Accesspoints disclose wep keys, password and mac filter (fwd)"
- In reply to: Florian Weimer: "Re: A technique to mitigate cookie-stealing XSS attacks"
- Next in thread: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com From: daw@mozart.cs.berkeley.edu (David Wagner) Date: 8 Nov 2002 04:23:56 GMT
Florian Weimer wrote:
>What about HTTP headers which advise user agents to disable some
>features, e.g. read/write access to the document or parts of it via
>scripting or other Internet Explorer interfaces?
HTTP headers are arguably the wrong place, but it might make sense to
have a <NOSCRIPTS> tag that would require the browser to turn off all
scripting for the entire HTML document, or somesuch. For instance,
application-layer proxies could add such a tag to all data crossing the
firewall, and places like Hotmail prepend such a tag to all HTML-formatted
email they receive before displaying it to the user. Of course, we would
have to trust browsers to respect such a tag, but it could potentially
give a very simple, high-assurance way to turn off dangerous features.
- Previous message: Thomas Sarlandie: "Re: Accesspoints disclose wep keys, password and mac filter (fwd)"
- In reply to: Florian Weimer: "Re: A technique to mitigate cookie-stealing XSS attacks"
- Next in thread: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
