Brad Fitzpatrick, founder of Livejournal, has a blog post entitled
Firefox bugs where he talks about some of
the issues that led to the recent account hijackings on the
LiveJournal service.
What I found most interesting were Brad's comments on Bug# 324253 - Do Something about the XSS issues that -moz-binding introduces in the Firefox bugzilla database. Brad wrote
Hello, this is Brad Fitzpatrick from LiveJournal.
Just to clear up any confusion: we do have a very strict HTML sanitizer. But
we made the decision (years ago) to allow users to host CSS files offsite
because... why not? It's just style declarations, right?
But then came along behavior, expression, -moz-binding, etc, etc...
Now CSS is full of JavaScript. Bleh.
But Internet Explorer has two huge advantages over Mozilla:
-- HttpOnly cookies (Bug 178993), which LiveJournal sponsored for Mozilla, over
a year ago. Still not in tree.
-- same-origin restrictions, so an offsite behavior/binding can't mess with the
calling node's DOM/Cookies/etc.
Either one of these would've saved our ass.
Now, I understand the need to innovate and add things like -moz-bindings, but
please keep in mind the authors of webapps which are fighting a constant battle
to improve their HTML sanitizers against new features which are added to
browser.
What we'd REALLY love is some document meta tag or HTTP response header that
declares the local document safe from all external scripts. HttpOnly cookies
are such a beautiful idea, we'd be happy with just that, but Comment 10 is also
a great proposal... being able to declare the trust level, effectively, of
external resources. Then our HTML cleaner would just insert/remove the
untrusted/trusted, respectively.
Cross site scripting attacks are a big problem for websites that
allow users to provide HTML input. LiveJournal isn't the only major
blogging site to have been hit by them, last year the 'samy is my hero' worm hit MySpace and caused some downtime for the service.
What I find interesting from Brad's post is how on the one hand having
richer features in browsers is desirable (e.g. embedded Javascript in
CSS) and on the other becomes a burden for developers building web apps
who now have to worry that even stylesheets can contain malicious
code.
The major browser vendors really need to do a better job here. I
totally agree with one of the follow up comments in the bug which
stated If
Moz & Microsoft can agree on SSL/anti-phishing policy and an RSS
icon, is consensus on scripting security policy too hard to imagine?.
Collaborating on simple stuff like what orange icon to use for
subscribing to feeds is nice, but areas like Web security could do with
more standardization across browsers. I wonder if the WHAT WG is
working on standardizing anything in this area...