Improve and update the existing Security Considerations #351
Conversation
mozfreddyb
force-pushed
the
improved-threat-mode-descr-fix-287
branch
from
5e625d3 to
db63861
Compare
mozfreddyb
force-pushed
the
improved-threat-mode-descr-fix-287
branch
from
db63861 to
3a5c90f
Compare
index.bs
Outdated
|
|
||
| # Security Considerations # {#security-considerations} | ||
|
|
||
| The Sanitizer API is intended to prevent DOM-based Cross-Site Scripting |
There was a problem hiding this comment.
In the heading below we just use "XSS". We should probably be somewhat consistent in this document about that. And we might also need a reference for this term I suppose if we want to use it.
There was a problem hiding this comment.
Is MDN an acceptable reference for web specifications?
There was a problem hiding this comment.
Maybe, because it's only for non-normative text. But it gets kinda circular and doesn't seem ideal.
There was a problem hiding this comment.
do you think we need to define it ourselves instead?
index.bs
Outdated
| : `<math>` MathML math | ||
| :: The reasoning for the inclusion of MathML is solely based on [[SafeMathML]]. | ||
| : `<svg>` | ||
| :: This element is not allowed, because it leads to HTTP requests to arbitrary hosts. |
There was a problem hiding this comment.
I thought we did allow some Math and SVG by default?
There was a problem hiding this comment.
- MathML is some allowed as can only be seen when following the reference. I'll make it explicit
- You're right and I think I got that wrong. Will correct this in a follow-up.
There was a problem hiding this comment.
The PR is getting a bit too unwieldy for my personal preference. I'll do the SVG/MATHML/HTML tables in a follow-up
…s in a cohesive way with a table and footnotes.
annevk
left a comment
annevk
left a comment
There was a problem hiding this comment.
I'm not sure how I feel about the "Index" section. It largely duplicates the existing lists, with some words added. That would probably be better inline?
Well, I guess we need a place for detailed reasoning that's going to come in the #354 follow-up. I can add this to Security Considerations instead if that's preferable? |
| <tr> | ||
| <td><code>object</code></td> | ||
| <td>http://www.w3.org/1999/xhtml</td> | ||
| <td>This element is disallowed because it can include other, untrusted documents and including scripts.</td> |
There was a problem hiding this comment.
"including scripts" doesn't seem grammatically correct to me.
|
|
||
| While the Sanitizer aims to disallow Cross-Site Scripting attacks [[XSS]], the default | ||
| settings are a bit stricter and do not include elements that may change page | ||
| settings, layout or fetch resources from other origins. The following elements |
There was a problem hiding this comment.
We don't/can't really differentiate between fetching resources from same vs. other origins, so this seems too specific.
| ## Elements and attributes not allowed in the default config ## {#default-disallowed-elements} | ||
|
|
||
| While the Sanitizer aims to disallow Cross-Site Scripting attacks [[XSS]], the default | ||
| settings are a bit stricter and do not include elements that may change page |
There was a problem hiding this comment.
"a bit" feels a bit off here. Maybe "the default settings are purposefully stricter"
|
The definition of the kinds of XSS we try to prevent is central to defining our threat model, so I would prefer if it was clearly laid out as part of the specification instead of a link to MDN. |
| the construction of a Sanitizer object that leaves script-capable markup in | ||
| and doing so would be a bug in the threat model. | ||
| The Sanitizer API is intended to prevent DOM-based Cross-Site Scripting [[XSS]] | ||
| by traversing supplied HTML content and removing elements and attributes |
There was a problem hiding this comment.
Maybe clarify that sanitzation happens before inserting. E.g.:
[...] by traversing supplied HTML content, after parsing but before insertion into any document, and removing [...]
I think this is obvious to us, but I think a lot of people haven't entirely thought through the "when" aspect of sanitiaztion.
|
|
||
| The Sanitizer API offers only functions that turn a string into a node tree. | ||
| The context is supplied implicitly by all sanitizer functions: | ||
| The Sanitizer API offers functions that combine parsing, sanitization and insertion. |
There was a problem hiding this comment.
This is very true. I wonder if it bears saying at the top of this section, in the paragraph "The Sanitizer API is intended to [...]". Maybe instead of the comment I've proposed there.
4 participants
Preview | Diff