Tainting could also be of use in a particular problem area for Content Security Policy (CSP): allowing modifications to CSP-protected pages caused by add-ons or bookmarklets. At the moment, such modifications (e.g. an add-on injecting tags into a page) are indistinguishable from malicious content injection attacks, and so are blocked. Unfortunately, the end result for users is their addons and bookmarklets "break" on these CSP-protected pages - a problem that will only worsen as CSP adoption increases.
It is debatable whether such modifications should be allowed. According to the priority of constituencies, the user/user agent takes precedence over the the site, so add-ons and bookmarklets (typically interpreted as acting with the knowledge and consent on the user) should be able to override a CSP provided by the site. However, it is not clear that this interpretation is always valid (consider malicious addons, crapware addons, or default addons included with the user's knowledge by the OS or manufacturer). Either way, tainting support in the JS engine, and general instrumentation/metadata for JS calls, would probably help in achieving this goal (although we'd probably also have to add taint information to DOM objects as well, so CSP knows when it should be bypassed). On 06/25/2014 08:33 AM, Frederik Braun wrote: > Thanks for bringing this to dev-platform. > > Dynamic analysis is something the security teams are particularly > interested in. Especially tainting user input is something we could make > use of across the project: Existing security efforts for Firefox OS, > Firefox Desktop, Firefox Mobile and our websites would all greatly > benefit from it, as it could help preventing Cross-Site Scripting and > other content injection attacks. > > Some people may know the work Stefano Di Paola has done to develop his > DOM-XSS scanner "DOMinator". There's also been an attempt to develop it > in-tree within the security mentorship program, but the outcome wasn't > fit to be merged into moz-central (bug 811877). > > A mozilla-owned API would help make all future endeavors last. I have > also been in contact with folks in academia and the industry who are > interested in both implementation and consumption of the API. > > I will make sure their attention is directed to this threat to provide > additional feedback. > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
