Closed Avaq closed 10 years ago
bartwr
commented
10 years ago Browser plug-ins which add scripts to the page will not work. Bookmarklets will not work unless they have their sources explicitly white-listed.
This is only true if the bookmarklet uses scripts from https://webistor.net, right? If that's the case, we can save the bookmarklet scripts locally.
Avaq
commented
10 years ago I'm talking about third party bookmarklets which use is attempted on a webisor.net page. For example, if someone would want to read their entry using a Readability bookmarklet, they'd attempt to load source from https://www.readability.com/ and since our site does not have it listed as a trusted source the browser will block the script and send a "false" report of a potential XSS leak to our server.
CSP
Cross Site Scripting (XSS) attacks are easier and easier to perform as new features are introduced to the web stack. As a result they are becoming harder and harder to detect and filter out on the server-side. One thing all XSS has in common is that information needs to be exfiltrated in order for the attack to be successful. One way to fight XSS is therefore to only send data to trusted sources.
Browsers now allow us to give them a whitelist of trusted domains, and they simply do not load any data from any other source: This is implemented under a standard called Content Security Policy (CSP). The simplicity of this system makes it very strong. It cuts off a single feature which XSS relies upon. It does however have some cons and is therefore up for discussion.
Pros
Cons