mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Valdis.Kletnieks () vt edu
Date: Wed, 06 Nov 2002 00:16:33 -0500
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer () CERT Uni-Stuttgart DE> said:
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is anybody interested in writing an Informational RFC on this topic?
It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').
It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....
(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow. That
never works. On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...
Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...
Computer Systems Senior Engineer