Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

script execution header

0 views
Skip to first unread message

FunkyRes

unread,
Feb 12, 2009, 10:09:34 AM2/12/09
to
Since so many sites are dynamically generated and can create their own
headers, and since so many of these sites have XSS vulnerabilities,
how about a header that tells the browser the domain scope for
scripts?

IE - the header could tell the browser that the page does not use any
scripts, only uses scripts served from the same host, or only uses
scripts served from the same domain (those who use scripts from other
domains could just not send the header).

That way if a web developer wants to inform the users client that the
page does not use any third party scripts, and his app has an XSS
vulnerability, the browser can refuse to execute the code.

I know about (and use) NoScript but I still think the ability of web
developers to send a header for those who don't have something like
NoScript installed would be a good idea. Even with NoScript it would
be a good idea - IE a site I'm currently working on uses JS for form
validation, but doesn't use it anywhere else, including pages that
display data users submitted. The ability to have those pages send a
header saying no scripts should be processed for those pages would be
a good thing (IMHO).

Just a thought.

Johnathan Nightingale

unread,
Feb 12, 2009, 10:16:37 AM2/12/09
to dev-se...@lists.mozilla.org

On 12-Feb-09, at 10:09 AM, FunkyRes wrote:

> Since so many sites are dynamically generated and can create their own
> headers, and since so many of these sites have XSS vulnerabilities,
> how about a header that tells the browser the domain scope for
> scripts?

You may be interested in the Content Security Policy work, described
here:

http://people.mozilla.org/~bsterne/content-security-policy/

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
joh...@mozilla.com

FunkyRes

unread,
Feb 14, 2009, 4:00:41 PM2/14/09
to
On Feb 12, 7:16 am, Johnathan Nightingale <john...@mozilla.com> wrote:

>
> You may be interested in the Content Security Policy work, described  
> here:
>
> http://people.mozilla.org/~bsterne/content-security-policy/
>
> Cheers,
>
> Johnathan

Yes! That looks exactly like what I want to see.
Hopefully something comes of it.

FunkyRes

unread,
Feb 15, 2009, 8:54:17 AM2/15/09
to
On Feb 14, 1:00 pm, FunkyRes <Funky...@gmail.com> wrote:

>
> Yes! That looks exactly like what I want to see.
> Hopefully something comes of it.

I played with it a little bit and it does exactly what I want it to do
(and more).
Only hitch is - the addon to test it does not seem to be able to turn
it off by clicking on the icon.
Disabling it / enabling it demonstrates that it works though.

Anyway, I hope this is something that is implemented by the browsers
out there, it would make me feel safer to know web developers are
implementing it and it would be nice to know I can give users of my
website (once browsers implement it) some added protection against
bugs that *hopefully* are not in my code.

I like it.

0 new messages