Comments on: Site Security Policy, AKA Content Restrictions

By: hackademix.net » NoScript's Anti-XSS Filters Partially Ported to IE8

hackademix.net » NoScript's Anti-XSS Filters Partially Ported to IE8 — Thu, 03 Jul 2008 10:05:52 +0000

[…] that post, calling for adoption of his own bright Content Restrictions idea, he forgot to say that one (experimental) implementation already exists… Do these cross-site scripting filters suppress legitimate cross-site references as well? […]

By: hackademix.net » Replace What?!

hackademix.net » Replace What?! — Sat, 21 Jun 2008 10:05:23 +0000

[…] anybody know what this XeroBank guy is talking about? SPP can’t obviously stand for Site Pecurity Policy. It wouldn’t make sense (spelling and grammar aside) because SSP is not meant and not going […]

By: Giorgio

Giorgio — Tue, 10 Jun 2008 16:05:39 +0000

@alanjstr:
First of all, how long, nice to have you back :)
1) It depends on how fast the SSP experimentation with its own extension goes. It would make some sense, though, because NoScript users would be probably willing to experiment with this stuff.
2) It’s quite unlikely: SSP is the most a browser can do without appearing “rude” to web site owners. Blacklist-based adblocking is more likely to be built in a browser than whitelist-based script control.

By: alanjstr

alanjstr — Tue, 10 Jun 2008 13:30:42 +0000

1) So does this mean you’re going to be incorporating SSP into NoScript until it becomes baked into the browser?
2) Are you working to get some of the NoScript protections baked into the browser so that people don’t have to always get an addon?

By: Giorgio

Giorgio — Mon, 09 Jun 2008 10:37:55 +0000

@kuza55:
Thanks, I did not mean to talk about any “generic” verb tampering initiated from an user-agent in direct control of the attacker, who would obviously bypass any client-side restriction.
What I was hinting is that, since X-SSP headers allows administrator to declare HTTP verb restrictions, they could be used to enforce a default-deny policy for unused verb so that they could not be used in the context of a CSRF attack.
I’ll update the post accordingly.

By: kuza55

kuza55 — Mon, 09 Jun 2008 10:23:07 +0000

"mitigating verb-tampering attacks" - wait, what?
How are you proposing that client-side controls will mitigate server-side issues?

By: Giorgio

Giorgio — Sun, 08 Jun 2008 09:44:27 +0000

@Gordon Mohr:

Would X-SSP-Script-Source prevent people from inserting their own third-party or offsite scripts into sites? (As might happen via a bookmarklet or add-on.)

It will depend on the final implementation, I guess, since it’s out of the scope of the current specification.
Giving users a chance to override SSP in cases like this is probably desirable, but I’m afraid it may not be technically trivial.

Would X-SSP-Request-Source be usable by sites which don’t want any deep-linking, replacing the referrer-based blocks they now sometimes put in place?

Yes, of course, but I’m not sure there would be a great gain: you would still face fallback issues with not compliant or SSP-disabled browsers, as you currently do with anonymous or spoofed referrers.
But maybe SSP-compliance would be easier than reliable referrers to be required from your users “for their own good” ;)

By: Gordon Mohr

Gordon Mohr — Sun, 08 Jun 2008 00:05:25 +0000

Would X-SSP-Script-Source prevent people from inserting their own third-party or offsite scripts into sites? (As might happen via a bookmarklet or add-on.)

Would X-SSP-Request-Source be usable by sites which don’t want any deep-linking, replacing the referrer-based blocks they now sometimes put in place?

By: Giorgio

Giorgio — Fri, 06 Jun 2008 13:12:40 +0000

@Gareth:

I’m more for pushing it as a “shame on you” soft requirement for “serious” web applications (through some 3^rd party “validation” badge like you suggest) than a general browser-enforced requirement for all web sites (even the read-only ones), many of which actually value inbound and outbound links very much (directories, search engines, blogs), and even liberal application-level relationships (mashup APIs anyone?)

By: Gareth Heyes

Gareth Heyes — Fri, 06 Jun 2008 12:39:39 +0000

@Giorgio

Yep that’s the only way to enforce the change as far as I can see it, otherwise we have security researchers and banks with well implemented security restrictions and everyone else with the same problem we have today. It will break the web, users will be annoyed but at the same time it would be a fundamental shift in internet security. If we force deny all it could work, if not then I can see another PGP situation (great technology but the majority don’t implement it)

Noscript is a fantastic program but I feel it shouldn’t be needed and like you say the servers should become the Noscript of the internet.

A idea to smooth this transition would be to start requiring sites to have a crossdomain policy within the W3C validation, as web designers are already used to validating for XHTML , why not include the security policy in there as well?