New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 738849 link

Starred by 3 users

Issue metadata

Status: Started
Owner:
OOO until 4th
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocked on:
issue 680462
issue 680970



Sign in to add a comment

Answering postcards from the post-xss world.

Project Member Reported by mkwst@chromium.org, Jul 3 2017

Issue description

A million years ago, lcamtuf@ wrote http://lcamtuf.coredump.cx/postxss/. Slowly, we're cutting back on the viability of some of the mechanisms contained therein. Let's just track that work here.
 

Comment 1 by mkwst@chromium.org, Jul 3 2017

Blockedon: 680970 680462
Exfiltration Bits
-----------------

Section 2.1: More or less addressed via blocking `\n`+`<` in subresource requests ( https://crbug.com/680970 )

Section 2.2: Narrowed by blocking form submissions with unclosed `<textarea>` or `<select>` elements (https://crbug.com/680462).

Section 2.3: Measuring scope of nested form elements in https://www.chromestatus.com/metrics/feature/timeline/popularity/1972

Section 2.4: Probably not going to remove `<base>` entirely, but could perhaps limit its effectiveness by locking it to `<head>`.

Section 2.5: We've made this worse with the Credential Management API. Hooray.

Section 2.6: I wonder how often folks put newlines and brackets into `<input>`?

Comment 2 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 3 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment