Intent to Deprecate and Remove: XSSAuditor

5084 görüntüleme
İlk okunmamış mesaja atla

Thomas Sepez

okunmadı,
15 Tem 2019 12:50:1615.07.2019
alıcı blink-dev
Contact emails

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

EricLaw-MSFT

okunmadı,
15 Tem 2019 17:17:1715.07.2019
alıcı blink-dev
Thanks for the writeup, Thomas. I found https://frederik-braun.com/xssauditor-bad.html and the related discussions compelling in favor of this removal.

On Monday, July 15, 2019 at 11:50:16 AM UTC-5, Thomas Sepez wrote:

Yoav Weiss

okunmadı,
15 Tem 2019 19:02:1015.07.2019
alıcı Thomas Sepez, blink-dev
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPYU9wRP%2BRYAdi_Fykosbjm6C9KxhZN8-wJeSmQeWAs7ABysXQ%40mail.gmail.com.

Eric Lawrence

okunmadı,
15 Tem 2019 19:09:5415.07.2019
alıcı blink-dev, tse...@google.com
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mike West

okunmadı,
16 Tem 2019 05:47:5216.07.2019
alıcı Eric Lawrence, blink-dev, Thomas Sepez
LGTM1. I wish we could have made this work, but removing it now seems like the right thing to do, given the side-channels it creates.

-mike


On Tue, Jul 16, 2019 at 1:10 AM Eric Lawrence <elaw...@chromium.org> wrote:
A good place to find (classes of) sites that are broken by the Auditor is the following query:

It's "Web Exposed" in the sense that the Auditor can block navigations if it believes that the target page contains script content that is found in the request (a so-called "reflection").

Such reflections may be one of three things:

   1. A true exploit of an XSS vulnerability (the ideal case, and the reason the Auditor exists)
   2. An accidental false-positive whereby the loaded page innocently happens to contain scripting content that was in the request
   3. A carefully crafted false-positive whereby an attacker is deliberately using the XSS Auditor as an oracle to detect the presence of certain strings on a victim page. (See the final section of the design doc)


-E

On Monday, July 15, 2019 at 6:02:10 PM UTC-5, Yoav Weiss wrote:
Is the XSSAuditor web exposed? You mention some sites are currently broken and this will fix them - can you give a bit more details on why they are broken now?

On Mon, Jul 15, 2019 at 6:50 PM 'Thomas Sepez' via blink-dev <blin...@chromium.org> wrote:

Details

TL:DR
Bypasses abound.
It prevents some legit sites from working.
Once detected, there’s nothing good to do.
It introduces cross-site info leaks.
Fixing all the info leaks has proven difficult.

Interoperability risk
none - other browsers do not support this, and some sites which currently fail on chrome will begin working.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)? Yes or no.

Deprecated on all except iOS, where it isn't present (and we don't control its presence).

Launch Tracking Bug

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7bea7195-457c-4df6-a6de-1047838f8df3%40chromium.org.

Yoav Weiss

okunmadı,
16 Tem 2019 05:54:1216.07.2019
alıcı Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Jochen Eisinger

okunmadı,
16 Tem 2019 06:15:4716.07.2019
alıcı Yoav Weiss, Mike West, Eric Lawrence, blink-dev, Thomas Sepez

Joe Medley

okunmadı,
27 Ağu 2019 12:10:1727.08.2019
alıcı blink-dev
I'm not sure how I missed this before. Most deprecations and removals have a Chrome Status entry so that we can let web developers know something is going away. 

This doesn't have one.

Can someone please create one. I don't know how many developers this actually affects, but the TL;DR certainly suggests things we want to highlight.

Joe

bay...@gmail.com

okunmadı,
27 Ağu 2019 12:24:3127.08.2019
alıcı blink-dev
Tümünü yanıtla
Yazarı yanıtla
Yönlendir
0 yeni ileti