|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?
Subject: Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?
From: Ryan Russell (Ryan.Russell
SYBASE.COM)
Date: Thu Jan 20 2000 - 13:44:06 CST
- Next message: Bill Fumerola: "Re: stream.c - new FreeBSD exploit?"
- Previous message: Brett Glass: "Quick remedy for stream.c"
- Maybe in reply to: Eric D. Williams: "Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?"
- Maybe reply: Ryan Russell: "Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
A couple of comments in a couple different directions...
Eric states that there will be implementation issues.
To be nastier about it, if the browser vendors can't shut off
Javascript when I hit the checkbox, why think they could
do it by following an HTML directive?
And to pre-hack the idea.. chances are that I'm going to be able
to do something to escape the headers... i.e. I'll find a way to start
a new set of headers, perhaps opening a new frame.
> It would be nice if there were on an HTTP header that, if sent to the
> client, would cause the client to disable javascript, vbscript, etc. for
> that document only. Sites who wished to display untrusted pages (webmail
> sites, web discussion forums, etc.) could then use a multi-frame layout.
> Any frame that contained untrusted code would have this header included in
> the delivery of its content to ensure that the scripts would not be
> evaluated, regardless of the normal client settings; other frames, whose
> "trusted" documents would be sent without this header, would still be able
> to use scripting (if enabled on the client).
I don't want to discourage the idea neccessarily, just pick on the
browser vendors. Perhaps they'd have a better chance of
getting it right the first time that way.
On a different tangent:
Several folks suggested that all tags be stripped unless they are
"known safe".
Doing so will kill your ability to mail around C code, unless you
HTMLize it first. If you don't, all your #<includes> will dissappear,
and perhaps the rest of the note if it's waiting for a #</include> :)
Ryan
- Next message: Bill Fumerola: "Re: stream.c - new FreeBSD exploit?"
- Previous message: Brett Glass: "Quick remedy for stream.c"
- Maybe in reply to: Eric D. Williams: "Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?"
- Maybe reply: Ryan Russell: "Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 21 2000 - 13:33:03 CST