[13472] in bugtraq
Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a
daemon@ATHENA.MIT.EDU (Ryan Russell)
Fri Jan 21 14:59:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <8825686C.006C6EC6.00@gwwest.sybase.com>
Date: Thu, 20 Jan 2000 11:44:06 -0800
Reply-To: Ryan Russell <Ryan.Russell@SYBASE.COM>
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
X-To: "Eric D. Williams" <eric@INFOBRO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
A couple of comments in a couple different directions...
Eric states that there will be implementation issues.
To be nastier about it, if the browser vendors can't shut off
Javascript when I hit the checkbox, why think they could
do it by following an HTML directive?
And to pre-hack the idea.. chances are that I'm going to be able
to do something to escape the headers... i.e. I'll find a way to start
a new set of headers, perhaps opening a new frame.
> It would be nice if there were on an HTTP header that, if sent to the
> client, would cause the client to disable javascript, vbscript, etc. for
> that document only. Sites who wished to display untrusted pages (webmail
> sites, web discussion forums, etc.) could then use a multi-frame layout.
> Any frame that contained untrusted code would have this header included in
> the delivery of its content to ensure that the scripts would not be
> evaluated, regardless of the normal client settings; other frames, whose
> "trusted" documents would be sent without this header, would still be able
> to use scripting (if enabled on the client).
I don't want to discourage the idea neccessarily, just pick on the
browser vendors. Perhaps they'd have a better chance of
getting it right the first time that way.
On a different tangent:
Several folks suggested that all tags be stripped unless they are
"known safe".
Doing so will kill your ability to mail around C code, unless you
HTMLize it first. If you don't, all your #<includes> will dissappear,
and perhaps the rest of the note if it's waiting for a #</include> :)
Ryan