[wp-trac] [WordPress Trac] #10237: Implement the new Mozilla feature to prevent XSS

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 11 23:09:39 UTC 2010 

#10237: Implement the new Mozilla feature to prevent XSS
-------------------------------+--------------------------------------------
 Reporter:  Denis-de-Bernardy  |       Owner:  ryan
     Type:  feature request    |      Status:  new 
 Priority:  normal             |   Milestone:  3.0 
Component:  Security           |     Version:  2.8 
 Severity:  normal             |    Keywords:      
-------------------------------+--------------------------------------------

Comment(by bsterne):

 Replying to [comment:11 Denis-de-Bernardy]:

 Yes, the header added in
 [http://core.trac.wordpress.org/attachment/ticket/10237/10237.patch
 hakre's patch] will be too restrictive for most sites.  |allow 'self'|
 restricts all content, not just scripts, to the same origin as the top
 level page.  Any images or other content coming from other sites will be
 blocked from loading.

 There are [https://wiki.mozilla.org/Security/CSP/Spec#Content_Restrictions
 other restrictions] that need to be considered as well, such as
 [https://wiki.mozilla.org/Security/CSP/Spec#No_inline_scripts_will_execute
 no inline scripts will execute].  This means that any event-handling
 attributes or other inline scripts used in any of the pages, including
 script added by WP addons, will not execute.  This is most immediately a
 problem in the admin console, which heavily utilizes inline script.  All
 this code will need to be migrated to external script files.

 I think we also need to provide a tool in the admin console that allows
 users to tailor their Content Security Policy according to their site
 profile.  There could be a wizard, for example, that asks questions like
 "where do you load images from", "do you use any analytics packages",
 etc., and generates the correct policy based on the answers.  It's
 probably a failure model if we require that users understand the CSP
 syntax and be writing policies by hand.  Of course we can expose the raw
 policy to users who are comfortable doing so.

 As before, I'm very much available to help with this implementation.  Let
 me know how I can be useful.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10237#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list