[wp-trac] [WordPress Trac] #10237: Implement the new Mozilla feature to prevent XSS
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 11 23:09:39 UTC 2010
#10237: Implement the new Mozilla feature to prevent XSS
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: feature request | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version: 2.8
Severity: normal | Keywords:
-------------------------------+--------------------------------------------
Comment(by bsterne):
Replying to [comment:11 Denis-de-Bernardy]:
Yes, the header added in
[http://core.trac.wordpress.org/attachment/ticket/10237/10237.patch
hakre's patch] will be too restrictive for most sites. |allow 'self'|
restricts all content, not just scripts, to the same origin as the top
level page. Any images or other content coming from other sites will be
blocked from loading.
There are [https://wiki.mozilla.org/Security/CSP/Spec#Content_Restrictions
other restrictions] that need to be considered as well, such as
[https://wiki.mozilla.org/Security/CSP/Spec#No_inline_scripts_will_execute
no inline scripts will execute]. This means that any event-handling
attributes or other inline scripts used in any of the pages, including
script added by WP addons, will not execute. This is most immediately a
problem in the admin console, which heavily utilizes inline script. All
this code will need to be migrated to external script files.
I think we also need to provide a tool in the admin console that allows
users to tailor their Content Security Policy according to their site
profile. There could be a wizard, for example, that asks questions like
"where do you load images from", "do you use any analytics packages",
etc., and generates the correct policy based on the answers. It's
probably a failure model if we require that users understand the CSP
syntax and be writing policies by hand. Of course we can expose the raw
policy to users who are comfortable doing so.
As before, I'm very much available to help with this implementation. Let
me know how I can be useful.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10237#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list