Tag to disable unwanted features? from Lincoln Yeoh on 2007-08-09 (www-html@w3.org from August 2007)

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Fri, 10 Aug 2007 02:55:25 +0800
To: www-html@w3.org
Message-Id: <200708091858.l79IwWgN071608@smtp2.jaring.my>

Hi,

I think it's way overdue to have a security oriented tag to disable 
unwanted features. I proposed something like this here 5 years ago 
(2002), and I'm back here to propose it again.

Recap on why such tags are needed:

Say you run a site (webmail, myspace (remember the worm?), bbs etc) 
that is displaying content from 3rd parties (spammers, attackers) to 
unknown browsers (with different parsing bugs/behaviour).

With such tags you can give hints to the browsers to disable unwanted 
stuff between the tags, so that even if your site's filtering is 
insufficient (doesn't account for a problem in a new tag, or the 
browser interprets things differently/incorrectly), a browser that 
supports the tag will know that stuff is disabled, and thus the exploit fails.

I'm suggesting something like:

<restricton lock="Random_hard_to_guess_string" except="java,safe-html" />
browser ignores features except for java and safe-html.
unsafe content here, but rendered safely by browser
<restrictoff lock="wrong_string" />
more unsafe content here but still rendered safely by browser
<restrictoff lock="Random_hard_to_guess_string" />
all features re-enabled

safe-html = a subset of html that we can be confident that popular 
browsers can render without being exploited e.g. <em>, <p>).

It doesn't have to be exactly as I suggest. Please do help fix it so 
it's compliant to whatever the standard is now, and do suggest 
improvements. This is more of a draft for discussion - safe-html 
needs to be defined, and the feature specifying bits probably need improvement.

Basically I believe that HTML needs more "stop/brake" tags, and not 
just "turn/go faster" tags.

Before anyone brings it up again, YES we must still attempt to filter 
stuff out (use libraries etc), the proposed tags are to be a safety 
net. Defense in depth.

I don't have lots of resources or any organization behind me to push 
this through. But who knows, maybe everyone will get lucky (though 
probably a bit late for myspace ;) ).

Regards,
Link.

Received on Thursday, 9 August 2007 23:06:24 UTC