Thursday, October 20, 2005
A Modest Proposal Against Cross-Site Scripting Attacks: Clean()
You know, expecting developers to handle every single way of launching a Cross Site Scripting (XSS) attack is way too complex and unreliable. Can we get one of two things:
- Either the browser makers give us a single nice method, let's call it makeSafe() or clean(), that I can run on a DOM node or string and which will completely remove any unsafe code: someNode.clean()
Practice Safe HTML!
Cross-Site Scripting Cheat Sheet
"Here's a crazy, evil thought. What if someone took the Trimpath SQL layer, an open source component that lets you have the power of SQL queries while running in a web browser, and layered that over the AMASS permanent browser storage system I've built? This would mean AMASS becomes a generalized storage system, simulating a relational database running on the client side that can be queried using SQL."
This morning I came into the office and saw an email from Cory that he had implemented a prototype of that overnight. Wow; I'm impressed. Good work :)
He even wrote good documentation:
"A piece of the offline AJAX application puzzle. This idea was in response to a blog post found here.
TrimPath - Is an sql query parser that works with data stored in arrays.
Together, I created a quick hack, you may say, to store an array of data in AMASS storage, then the script allows the user to run a query on stored data by grab the data back from storage and using TrimPath to parse and filter the data array. You can try out the demo if you like or even just go to the project for more information.
If these projects mature we eventually have an even more reliable and fault tolerant generation of AJAX applications."
This stuff is cooking! Now we just need someone to get it working on the Mac on Firefox (I don't have a Mac), and someone to see how it works in Linux on Firefox.
1) AMASS can store much more than 100K, up to megabytes of information. AMASS can store up to 100K of information without prompting the user; afterwards, the underlying Flash system prompts the user, which AMASS detects to make the Flash "Do you give this website permission to store X amount of information" dialog appear. Afterwards, you can store an arbitrary amount of information; I've successfully stored up to 10 megabytes. Why don't you try more and see where it falls over?
2) AMASS is not a security threat. The underlying Flash SharedObject system that AMASS uses keeps storage partitioned between domains (though be careful using something like AMASS on a website where different providers have the same host name). Also, at each level of magnitude of increasing storage (i.e. storing 100K, 1 Meg, 10 Megs, etc.) AMASS reprompts the user to make sure the user gives the site permission.
3) AMASS, by itself, does not make offline access possible. However, it is one of the essential ingredients in achieving offline functionality for AJAX apps, which is one of the reasons I created it.
4) AMASS is in alpha, so expect bugs :) In November and December I will have more time to focus on making it reliable.
5) I need help on making AMASS work on Firefox for the Mac!
Subscribe to Posts [Atom]