[wp-trac] [WordPress Trac] #10237: Implement the new Mozilla feature to prevent XSS

Tue Jan 12 17:48:14 UTC 2010

#10237: Implement the new Mozilla feature to prevent XSS
-------------------------------+--------------------------------------------
 Reporter:  Denis-de-Bernardy  |       Owner:  ryan
     Type:  feature request    |      Status:  new 
 Priority:  normal             |   Milestone:  3.0 
Component:  Security           |     Version:  2.8 
 Severity:  normal             |    Keywords:      
-------------------------------+--------------------------------------------

Comment(by bsterne):

 Replying to [comment:14 Denis-de-Bernardy]:
 > If you're familiar with the specifics, I think that highlighting the
 headers we should add, with a brief explanation of why, would be of great
 help.

 Well, no matter what code changes go into the WordPress trunk, it will
 only require a single header being sent with any given page.  It's the
 value of the header that contains the policy, which can vary somewhat,
 depending on how the user's blog is set up.  I'll give you an example:

 If a site needs to allow images from anywhere, videos from YouTube, and
 everything else from their own host, they would send the header:

 {{{X-Content-Security-Policy: allow 'self'; img-src *; media-src:
 youtube.com}}}

 The header value needs to be able to be customized in this way to provide
 the minimal white-list policy that allows the site to function as
 intended.  There could be a HTML form or some other widget in the admin
 panel that could help admins construct their policy without directly
 writing it.

 The other set of changes that feature requires is to move any
 [https://wiki.mozilla.org/Security/CSP/Spec#No_inline_scripts_will_execute
 inline script] to external script files. This will involve:
  1. changing instances of
 {{{<script>inline_code();</script>}}} to

 {{{<script src="external_file.js"></script>}}}

 These inline code blocks can obviously be combined into a single script
 file, where appropriate, to reduce the number of network requests.

  2. replace event-handling HTML attributes with externally-added event
 handlers, such as replacing
 {{{<a onclick="commentReply.open('631','101');return false;" class="vim-r
 hide-if-no-js" title="Reply to this comment" href="#">Reply</a>}}} with

 {{{<a class="vim-r hide-if-no-js" cid="631" pid="101" title="Reply to this
 comment" href="#">Reply</a>}}} with external script doing
 {{{
 var cLinks = document.getElementsByClassName("vim-r");
 for (var i = 0 ; i < cLinks.length ; i++) {
   cLinks[i].onclick = commentReply.open(cLinks[i].cid, cLinks[i].pid);
 }
 }}}

  3. We would also want to remove any {{{javascript:}}} URLs, but I didn't
 see any in the instance of WP I'm working with.

 (Also, I cc'd myself on this ticket, but I don't seem to be getting
 emails.  Is there something else I need to do to be notified when things
 change here?)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10237#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software