|
|
BugTraq
A technique to mitigate cookie-stealing XSS attacks Nov 05 2002 06:44PM Michael Howard (mikehow microsoft com) (3 replies) Re: A technique to mitigate cookie-stealing XSS attacks Nov 11 2002 06:19PM Jeremiah Grossman (jeremiah whitehatsec com) (1 replies) RE: A technique to mitigate cookie-stealing XSS attacks Nov 12 2002 12:46AM Jason Coombs (jasonc science org) Re: A technique to mitigate cookie-stealing XSS attacks Nov 07 2002 08:26PM Justin King (justin othius com) (1 replies) Re: A technique to mitigate cookie-stealing XSS attacks Nov 10 2002 03:21AM Ulf Harnhammar (ulfh update uu se) (2 replies) RE: A technique to mitigate cookie-stealing XSS attacks Nov 12 2002 10:43AM jasonk (jasonk swin edu au) Re: A technique to mitigate cookie-stealing XSS attacks Nov 11 2002 08:29PM Seth Arnold (sarnold wirex com) Re: A technique to mitigate cookie-stealing XSS attacks Nov 05 2002 09:38PM Florian Weimer (Weimer CERT Uni-Stuttgart DE) (2 replies) Re: A technique to mitigate cookie-stealing XSS attacks Nov 06 2002 05:16AM Valdis Kletnieks vt edu (1 replies) Re: A technique to mitigate cookie-stealing XSS attacks Nov 08 2002 10:12AM Florian Weimer (Weimer CERT Uni-Stuttgart DE) |
|
Privacy Statement |
>What about HTTP headers which advise user agents to disable some
>features, e.g. read/write access to the document or parts of it via
>scripting or other Internet Explorer interfaces?
HTTP headers are arguably the wrong place, but it might make sense to
have a <NOSCRIPTS> tag that would require the browser to turn off all
scripting for the entire HTML document, or somesuch. For instance,
application-layer proxies could add such a tag to all data crossing the
firewall, and places like Hotmail prepend such a tag to all HTML-formatted
email they receive before displaying it to the user. Of course, we would
have to trust browsers to respect such a tag, but it could potentially
give a very simple, high-assurance way to turn off dangerous features.
[ reply ]