Bugtraq mailing list archives
Re: RES: A technique to mitigate cookie-stealing XSS attacks
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Fri, 08 Nov 2002 09:50:41 +0100
AQBARROS () BKB com br writes:
What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces?
It is a very interesting idea, but it would take some years to start to take effect, as non-compatible browsers would still be on the market for a few years; Can't we find a solution that works on current browsers?
This special HTTP header would instruct the client to _remove_ functionality which is unneeded. Old clients would continue to work (and leave the functionality enabled), they simply would not benefit from this additional restriction, and would have to rely on the traditional, error-prone access controls (Same Origin Policy and whatever rules exist out there).
Initially, I thought about encrypting cookie content with a server based key. But this key should have some browser-derived component, something that changes from one browser/computer to another; IP is not practical, as the client can be behind a cluster of proxies. Is there something that the browser shows only to the server and not for the client-side scripts?
This so implementation-dependend that it cannot work in practice. -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Current thread:
- RES: A technique to mitigate cookie-stealing XSS attacks AQBARROS (Nov 07)
- Re: RES: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)