Intent to Deprecate and Remove: XSSAuditor

5173 visualizações
Pular para a primeira mensagem não lida

Thomas Sepez

não lida,
15 de jul. de 2019 12:50:1615/07/2019
para blink-dev
Contact emails

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

EricLaw-MSFT

não lida,
15 de jul. de 2019 17:17:1715/07/2019
para blink-dev
Thanks for the writeup, Thomas. I found https://frederik-braun.com/xssauditor-bad.html and the related discussions compelling in favor of this removal.

On Monday, July 15, 2019 at 11:50:16 AM UTC-5, Thomas Sepez wrote:

Yoav Weiss

não lida,
15 de jul. de 2019 19:02:1015/07/2019
para Thomas Sepez, blink-dev
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYU9wRP%2BRYAdi_Fykosbjm6C9KxhZN8-wJeSmQeWAs7ABysXQ%40mail.gmail.com.

Eric Lawrence

não lida,
15 de jul. de 2019 19:09:5415/07/2019
para blink-dev, tse...@google.com
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mike West

não lida,
16 de jul. de 2019 05:47:5216/07/2019
para Eric Lawrence, blink-dev, Thomas Sepez
LGTM1. I wish we could have made this work, but removing it now seems like the right thing to do, given the side-channels it creates.

-mike


On Tue, Jul 16, 2019 at 1:10 AM Eric Lawrence <elaw...@chromium.org> wrote:
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7bea7195-457c-4df6-a6de-1047838f8df3%40chromium.org.

Yoav Weiss

não lida,
16 de jul. de 2019 05:54:1216/07/2019
para Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Jochen Eisinger

não lida,
16 de jul. de 2019 06:15:4716/07/2019
para Yoav Weiss, Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Joe Medley

não lida,
27 de ago. de 2019 12:10:1727/08/2019
para blink-dev
I'm not sure how I missed this before. Most deprecations and removals have a Chrome Status entry so that we can let web developers know something is going away. 

This doesn't have one.

Can someone please create one. I don't know how many developers this actually affects, but the TL;DR certainly suggests things we want to highlight.

Joe

bay...@gmail.com

não lida,
27 de ago. de 2019 12:24:3127/08/2019
para blink-dev
Responder a todos
Responder ao autor
Encaminhar
0 nova mensagem