ACTION-1001: Review Charles tests on XSS from Francois Daoust on 2009-08-31 (public-bpwg@w3.org from August 2009)

From: Francois Daoust <fd@w3.org>
Date: Mon, 31 Aug 2009 14:55:38 +0200
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-ID: <4A9BC84A.4080703@w3.org>

Hi,

I had a look at the tests Charles provided for CT around the same origin 
policy.

It's been a few months since we last talked about that, here are a few 
refresh pointers. The goal is to find out whether we can end up with a 
testable guideline around links re-writing. I had asked security experts 
and reported to the group back in April. See email thread for ACTION-925 at:
  http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/thread.html#msg14

Charles then provided tests to determine whether cross-site access is 
being granted when it should not in June:
  http://lists.w3.org/Archives/Public/public-bpwg/2009Jun/0125.html

The tests consist of 4 tests and cover basic checks on the same origin 
policy. They do seem correct, although I do not pretend to be a security 
expert.

What seems safe to assert:
- There exist more possibilities out there to run into cross-site 
scripting (XSS) troubles. XSS vulnerabilities regularly show up in 
security bulletins of most browsers, e.g.:
  * Firefox 3.0: 
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
  * Opera 9.64: http://www.opera.com/docs/changelogs/windows/964/
  * IE 7.0: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1140
  * Avant Browser: http://www.avantbrowser.com/new.html
Even though these bugs are not trivial to exploit, it is reasonable to 
expect similar bugs will be found in CT proxies implementations. It does 
not seem reasonable to believe we can cover these possibilities with a 
few simple tests.

- The tests cannot be run without Javascript support. Cookies may still 
be an issue when Javascript is off. I think most CT proxies remove 
scripts from content they transcode at this point, making it hard to 
detect such issues automatically.

- CT proxies replace security at the client by security in the middle of 
the network. Browser security settings that users (or companies) may set 
on their browser and that relate to the same origin policy will have no 
effect once a CT proxy is there and rewrites links. I do not know of any 
mobile browser where advanced security settings and/or corporate 
security policies may be set for the time being.

So the question is: what is the group trying to do here? Ensure basic 
cross-site scripting is not possible? The tests look good in that case. 
Ensure cross-site scripting is never possible? That is impossible to assert.

Francois.

Received on Monday, 31 August 2009 12:56:14 UTC