Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: daw () mozart cs berkeley edu (David Wagner)
Date: 8 Nov 2002 04:23:56 GMT
Florian Weimer wrote:
What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces?
HTTP headers are arguably the wrong place, but it might make sense to have a <NOSCRIPTS> tag that would require the browser to turn off all scripting for the entire HTML document, or somesuch. For instance, application-layer proxies could add such a tag to all data crossing the firewall, and places like Hotmail prepend such a tag to all HTML-formatted email they receive before displaying it to the user. Of course, we would have to trust browsers to respect such a tag, but it could potentially give a very simple, high-assurance way to turn off dangerous features.
Current thread:
- A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
(Thread continues...)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)