Re: RES: A technique to mitigate cookie-stealing XSS attacks

[Florian Weimer <Weimer () CERT Uni-Stuttgart DE>]

AQBARROS () BKB com br writes:

> > What about HTTP headers which advise user agents to disable some
> > features, e.g. read/write access to the document or parts of it via
> > scripting or other Internet Explorer interfaces?

> It is a very interesting idea, but it would take some years to start to take
> effect, as non-compatible browsers would still be on the market for a few
> years; Can't we find a solution that works on current browsers?

This special HTTP header would instruct the client to _remove_
functionality which is unneeded.  Old clients would continue to work
(and leave the functionality enabled), they simply would not benefit
from this additional restriction, and would have to rely on the
traditional, error-prone access controls (Same Origin Policy and
whatever rules exist out there).

> Initially, I thought about encrypting cookie content with a server based
> key. But this key should have some browser-derived component, something that
> changes from one browser/computer to another; IP is not practical, as the
> client can be behind a cluster of proxies. Is there something that the
> browser shows only to the server and not for the client-side scripts?

This so implementation-dependend that it cannot work in practice.

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898