Intent to Deprecate and Remove: XSSAuditor
5,937 views
Skip to first unread message
Thomas Sepez
Jul 15, 2019, 12:50:16 PM7/15/19
to blink-dev
Contact emails
Details
https://docs.google.com/presentation/d/1bL8BJO3GR-aosupkQSfA7Kg7x-qzjYL_8SKb6h-Tp9U/edit?usp=sharing
TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.
Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.
Chrome OS, Android, and Android WebView)? Yes or no.
Deprecated on all except iOS, where it isn't present (and we don't control its presence).
Launch Tracking Bug
EricLaw-MSFT
Jul 15, 2019, 5:17:17 PM7/15/19
to blink-dev
Thanks for the writeup, Thomas. I found https://frederik-braun.com/xssauditor-bad.html and the related discussions compelling in favor of this removal.
On Monday, July 15, 2019 at 11:50:16 AM UTC-5, Thomas Sepez wrote:
On Monday, July 15, 2019 at 11:50:16 AM UTC-5, Thomas Sepez wrote:
Contact emails
Yoav Weiss
Jul 15, 2019, 7:02:10 PM7/15/19
to Thomas Sepez, blink-dev
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYU9wRP%2BRYAdi_Fykosbjm6C9KxhZN8-wJeSmQeWAs7ABysXQ%40mail.gmail.com.
Eric Lawrence
Jul 15, 2019, 7:09:54 PM7/15/19
to blink-dev, tse...@google.com
A good place to find (classes of) sites that are broken by the Auditor is the following query:
https://bugs.chromium.org/p/chromium/issues/list?can=1&q=ERR_BLOCKED_BY_XSS_AUDITOR; this one in particular.
It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").
Such reflections may be one of three things:
1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)
-E
On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?
On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:
Contact emails
Detailshttps://docs.google.com/presentation/d/1bL8BJO3GR-aosupkQSfA7Kg7x-qzjYL_8SKb6h-Tp9U/edit?usp=sharingTL:DRBypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.Fixing all the info leaks has proven difficult.Interoperability risknone - other browsers do not support this, and some sites which currently fail on chrome will begin working.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.Deprecated on all except iOS, where it isn't present (and we don't control its presence).Launch Tracking Bug
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Mike West
Jul 16, 2019, 5:47:52 AM7/16/19
to Eric Lawrence, blink-dev, Thomas Sepez
LGTM1. I wish we could have made this work, but removing it now seems like the right thing to do, given the side-channels it creates.
-mike
On Tue, Jul 16, 2019 at 1:10 AM Eric Lawrence <elaw...@chromium.org> wrote:
A good place to find (classes of) sites that are broken by the Auditor is the following query:https://bugs.chromium.org/p/chromium/issues/list?can=1&q=ERR_BLOCKED_BY_XSS_AUDITOR; this one in particular.It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").Such reflections may be one of three things:1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)-E
On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?
On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:
Contact emails
Detailshttps://docs.google.com/presentation/d/1bL8BJO3GR-aosupkQSfA7Kg7x-qzjYL_8SKb6h-Tp9U/edit?usp=sharingTL:DRBypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.Fixing all the info leaks has proven difficult.Interoperability risknone - other browsers do not support this, and some sites which currently fail on chrome will begin working.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.Deprecated on all except iOS, where it isn't present (and we don't control its presence).Launch Tracking Bug
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYU9wRP%2BRYAdi_Fykosbjm6C9KxhZN8-wJeSmQeWAs7ABysXQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7bea7195-457c-4df6-a6de-1047838f8df3%40chromium.org.
Yoav Weiss
Jul 16, 2019, 5:54:12 AM7/16/19
to Mike West, Eric Lawrence, blink-dev, Thomas Sepez
LGTM2
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DeNk-24CYtBhRPgtAP_Tzk5jd6%3DQuy2Q09wAVsntJSEDQ%40mail.gmail.com.
Jochen Eisinger
Jul 16, 2019, 6:15:47 AM7/16/19
to Yoav Weiss, Mike West, Eric Lawrence, blink-dev, Thomas Sepez
LGTM3
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEhLO5-JyL6uMBW_3ed5PiWXXtQgEYsHfQZtJ8fL2rs70A%40mail.gmail.com.
Joe Medley
Aug 27, 2019, 12:10:17 PM8/27/19
to blink-dev
I'm not sure how I missed this before. Most deprecations and removals have a Chrome Status entry so that we can let web developers know something is going away.
This doesn't have one.
Can someone please create one. I don't know how many developers this actually affects, but the TL;DR certainly suggests things we want to highlight.
Joe
bay...@gmail.com
Aug 27, 2019, 12:24:31 PM8/27/19
to blink-dev
Reply all
Reply to author
Forward
0 new messages