info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Status of proposed Firefox XSS filter in bug 528661?
37 views
Skip to first unread message
Andreas Vikne
Mar 1, 2018, 2:52:07 PM3/1/18
to dev-se...@lists.mozilla.org
Hello,
What is the current status of the proposed XSS filter for Firefox as
described in this bug report?
https://bugzilla.mozilla.org/show_bug.cgi?id=528661
I have found some more info regrading this filter:
https://wiki.mozilla.org/Security/Features/XSS_Filter
https://wiki.mozilla.org/Security/Reviews/xssfilter
I am interested in a working implementation of a XSS filter for Firefox
based on the same techniques described in these links. I do not find any
updates since 2012 about this topic, is this something that is completely
abandoned?
I understand that an XSS filter is not a prioritized feature, but is this
the only reason why there is no updates?
Regards, Andreas
What is the current status of the proposed XSS filter for Firefox as
described in this bug report?
https://bugzilla.mozilla.org/show_bug.cgi?id=528661
I have found some more info regrading this filter:
https://wiki.mozilla.org/Security/Features/XSS_Filter
https://wiki.mozilla.org/Security/Reviews/xssfilter
I am interested in a working implementation of a XSS filter for Firefox
based on the same techniques described in these links. I do not find any
updates since 2012 about this topic, is this something that is completely
abandoned?
I understand that an XSS filter is not a prioritized feature, but is this
the only reason why there is no updates?
Regards, Andreas
Frederik Braun
Mar 5, 2018, 5:14:21 AM3/5/18
to dev-se...@lists.mozilla.org, Giorgio Maone
Hi Andreas,
There have been numerous discussions, the latest one in late 2016 and we
had come to the conclusion that it is currently not worth the effort for
Firefox to provide a built-in feature:
An XSS filter can not protect against stored (aka persistent) XSS or DOM
XSS, which has recently become more and more prevalent recently.
An XSS filter is prone to security holes if not maintained very
diligently and actively. It is hard to justify security engineering time
on a feature that provides limited value.
Lastly, there is an XSS filter in NoScript that people can use.
If you're interested in implementing an XSS filter, I recommend doing
this as a Web Extension.
Maybe talk to Giorgio Maone (CCd), the NoScript maintainer and see if
there's a shared interest for shipping the NoScript xss-filter as its
own extension.
FWIW, the interesting code is at [1].
Good luck!
Freddy
[1] This is an unofficial mirror, but the most convenient way to link to
the source code for me:
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/RequestWatchdog.js#L343>
and
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/InjectionChecker.js>
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
There have been numerous discussions, the latest one in late 2016 and we
had come to the conclusion that it is currently not worth the effort for
Firefox to provide a built-in feature:
An XSS filter can not protect against stored (aka persistent) XSS or DOM
XSS, which has recently become more and more prevalent recently.
An XSS filter is prone to security holes if not maintained very
diligently and actively. It is hard to justify security engineering time
on a feature that provides limited value.
Lastly, there is an XSS filter in NoScript that people can use.
If you're interested in implementing an XSS filter, I recommend doing
this as a Web Extension.
Maybe talk to Giorgio Maone (CCd), the NoScript maintainer and see if
there's a shared interest for shipping the NoScript xss-filter as its
own extension.
FWIW, the interesting code is at [1].
Good luck!
Freddy
[1] This is an unofficial mirror, but the most convenient way to link to
the source code for me:
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/RequestWatchdog.js#L343>
and
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/InjectionChecker.js>
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
0 new messages