Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Suggestion: Enable User To Allow Discrete Cross-Site-Scripting

microsoft.public.internetexplorer.general






Speedup My PC
Reply
  #1 (permalink)  
Old 02-20-2010
Axel Dahmen
 

Posts: n/a
Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
See here for the same suggetion for Firefox, including images:

https://bugzilla.mozilla.org/show_bug.cgi?id=547437


In the course of enforcing Same Origin policy, Internet Explorer (like other
browsers) blocks attempts to access content from other websites through,
e.g., <iframe> elements or XMLHttpRequest calls.

Because this particularly stops Internet Explorer from making use of web
services by using the XMLHttpRequest object, I'd like to suggest to enable
the user to create a white list of web sites (or URL paths) that are allowed
to access a list of foreign websites (or URL paths).


Here are the details:

(I've created a couple of Firefox sample dialogs and added them as
attachments to the above hyperlink at Mozilla. I'm running the German version
of Firefox so they are all in German. Most content is taken from the current
pop-up configuration dialog.)


* Like with pop-up dialogs, Internet Explorer should provide a dialog where
the user can edit a white list [see CSS1.png].

* This white list should allow to enter websites (or URL paths, I can't
tell what's more appropriate).

* For each of these websites (or URL paths) the user should be able to
enter a number of websites (or URL paths) that the website may address
through an <iframe> element or the XMLHttpRequest object (or any similar
means) [see CSS2.gif, which is animated]. In the following the former is
called "source websites", the latter "destination websites".

* [CSS2a.png] shows the dialog when the user is to enter a new source
website. [CSS2b.png] shows the dialog when the user is to enter a new
destination website for the selected source website ("mozilla.org" in this
example).

* The user should be able to grant access to ANY foreign destination
content for a source website (or URL path). The asterisk ought to be used to
denote that a source website (or URL path) may access any foreign destination
content [see CSS2d.png].

* The user might want to grant access to certain web services to ANY source
website without restriction (e.g. package tracking services). So entering an
asterisk into the list of source websites (or URL paths) would allow the
destination websites (or URL paths) listed in the destination list to be
accessed by any arbitrary source [see CSS2e.png].

* To inform the user of a blocked foreign request attempt, Internet
Explorer should display a yellow bar above a document when such request(s)
has or have been blocked. The yellow bar should allow to enter the currently
blocked request(s) into the white list an re-attempt to execute these
requests [see CSS3.png].


----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communities...orer. general
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 02-20-2010
Twayne
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
In news:A02CDD3D-CB43-4ED5-ABBC-FD59A914009F@microsoft.com,
Axel Dahmen <keentoknow@newsgroup.nospam> typed:
> See here for the same suggetion for Firefox, including images:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=547437

....

>
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click
> the "I Agree" button in the message pane. If you do not see the
> button, follow this link to open the suggestion in the Microsoft
> Web-based Newsreader and then click "I Agree" in the message pane.
>
> http://www.microsoft.com/communities...orer. general


This isn't Microsoft the compan y. It's just a group of Microsoft users
helping each other. Contact MS directly but don't hold your breath for any
changes.

HTH,

Twayne
--
Newsgroups are great places to get assistance.
But always verify important information with
other sources to be certain you have a clear
understanding of it and that it is accurate.


Reply With Quote
  #3 (permalink)  
Old 02-20-2010
Axel Dahmen
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Hi Twayne,

I'm sorry to correct you, but I've entered this post using Microsoft Managed
Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read
it.

Did you read the automatically generated signature below my posting?

Here's a hyperlink to the web version of this thread:

http://www.microsoft.com/communities...&cr=&sloc=&p=1

I'd very much appreciate your vote on this issue

Best regards,
Axel Dahmen


---------------------
"Twayne" wrote:
> This isn't Microsoft the compan y. It's just a group of Microsoft users
> helping each other. Contact MS directly but don't hold your breath for any
> changes.
>
> HTH,
>
> Twayne


Reply With Quote
  #4 (permalink)  
Old 02-20-2010
Axel Dahmen
 

Posts: n/a
RE: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
"Axel Dahmen" wrote:

> See here for the same suggetion for Firefox, including images:
> https://bugzilla.mozilla.org/show_bug.cgi?id=547437



Just to add to the above suggestion:


If using URL paths instead of domain names, some valid values might be:


file: http:
(= local files can access any http: destination)


file: *
(= local files can access any destination)


* http://www.ups.com/WebTracking/
(= files from any sources can access any resource at or below this http: path)


* https://www.ups.com/WebTracking/
(= files from any sources can access any resource at or below this https:
path)
Reply With Quote
  #5 (permalink)  
Old 02-21-2010
VanguardLH
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Axel Dahmen wrote:

> Hi Twayne,
>
> I'm sorry to correct you, but I've entered this post using Microsoft Managed
> Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read
> it.


You are new here. This is NOT a forum. It is NOT monitored by Microsoft.
This is *Usenet* (aka newsgroups). Microsoft operates a pretend forum that
uses a gateway to Usenet. There are lots of leech sites that provide a
webnews-for-dummies interface to Usenet. Microsoft is hardly new at this
but was audacious in believing they could usurp Usenet for the microsoft.*
newsgroups by adding voting and suggestion signatures that are worthless in
Usenet and have very limited usefulness in their forum interface to Usenet.

What is Usenet:
http://en.wikipedia.org/wiki/Usenet
http://en.wikipedia.org/wiki/Newsgroups
http://www.masonicinfo.com/newsgroups.htm
http://www.mcfedries.com/Ramblings/usenet-primer.asp

When using a webnews-for-dummies interface (e.g., Microsoft's Communities,
Google Groups, or a leech site using a forum-to-Usenet proxy), those are
gateways to Usenet. Despite the pretense of a forum, you are participating
in a newsgroup (aka Usenet).

Good luck in trying to reach someone at Microsoft for your personal concerns
which have a tiny community that would want this feature. Microsoft listens
to large corporations who pay the big bucks for support. They have their MS
Connect site where you could try to submit a bug report (but then yours is a
Request for Enhancement rather than a bug report). Best you can probably do
is get involved as an early beta tester of version 9 to get your comments
reviewed by Microsoft (not later when they spew out a *public* beta that any
boob can download).

For now, and because XSS is a user-configurable option, and since this
appears a problem within your small community (like at some workplace), have
your users or use GPO to push out a policy that configures the Trusted Sites
security zone to disable the XSS option. Then put your site in the Trusted
Sites security zone. There's your whitelist which is voluntary to the users
as to how they configure (or established by company policy who can push
policies onto their employees).
Reply With Quote
  #6 (permalink)  
Old 02-21-2010
Axel Dahmen
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Vanguard,

"VanguardLH" wrote:
> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.


And YOU must be joking! But you are NOT funny!

Hey, I'm doing this for more almost twenty years now. And I don't need a
wise guys to tell me what I'm doing!

Have you followed the link that's automatically added to my post? I'm paying
lots of money for this functionality!

So, please, if you don't have any technical to reply to my suggestion, just
step back and let grown ups talk, will you?

Axel Dahmen
www.axeldahmen.de
http://www.dashop.de/blog/en/usenet/...tatements.html
Reply With Quote
  #7 (permalink)  
Old 02-21-2010
VanguardLH
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Axel Dahmen wrote:

> Vanguard,
>
> "VanguardLH" wrote:
>> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.

>
> And YOU must be joking! But you are NOT funny!
>
> Hey, I'm doing this for more almost twenty years now. And I don't need a
> wise guys to tell me what I'm doing!


Since your 1st post, and especially your 2nd post, makes you appear that you
are ignorant about Microsoft operating a webnews-for-dummies gateway to
Usenet, and also because you ARE using the webnews-for-dummies interface
instead of a real newsreader to an NNTP server, you certainly appeared to be
naieve.

> Have you followed the link that's automatically added to my post?


The link in your first post is NOT added by you. It is appended to your
post AFTER you submit it and is added by Microsoft when using their webnews
interface to Usenet. The link in your second post merely points to the
forum's pointer but then we that use NNTP for Usenet don't need to waste
time looking at the same post in the webnews-for-dummies interface. All you
did in your 2nd post was link back to your 1st post which we already saw.

Oh, I was supposed to magically see your link (as if I'd waste my time
there) this post that didn't yet exist until you replied. Uh huh.

> I'm paying lots of money for this functionality!


No one has to pay to use Microsoft's webnews gateway. It's free. Same for
their NNTP server (msnews.microsoft.com). Want to try yet another story?

> So, please, if you don't have any technical to reply to my suggestion, just
> step back and let grown ups talk, will you?


Whine all you want. A solution was offered. That you don't like it doesn't
change that it exists. Apparently you don't have control over the user's
hosts to push policies on them. That also means that you would have no
control over pushing a whitelist on them, either, and if they whitelisted
you (already available) then it would be THEIR choice.
Reply With Quote
  #8 (permalink)  
Old 02-21-2010
Axel Dahmen
 

Posts: n/a
RE: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Jo Hermans pointed me to an excellent work on this topic from Mozilla:

It's about Content Security Policy (in which case it would
be the website itself that determines if a remote script is allowed or not):

http://blog.mozilla.com/security/200...wser-security/
Reply With Quote
  #9 (permalink)  
Old 02-21-2010
Axel Dahmen
 

Posts: n/a
Re: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
Vanguard,

once and for all: If you do not follow links - or if you just don't know
what you're talking about - just keep quit and don't harrass people you don't
know with your personal opinion, will you? Have you ever read about things
like Netiquette?

Here's a final link for you. Apparently you don't seem to know about
Microsoft MSDN and MSDN Membership benefits and how it works:

http://msdn.microsoft.com/en-us/subs.../aa974230.aspx

Axel Dahmen
www.axeldahmen.de

*plonk*
Reply With Quote
  #10 (permalink)  
Old 02-21-2010
Axel Dahmen
 

Posts: n/a
RE: Suggestion: Enable User To Allow Discrete Cross-Site-Scripting
The CSP meta information solution brings the advantage of distinguishing
intended cross-site-scripting from malicious cross-site-scripting I wanted to
cope with by my suggestion but moves responsibility for white listing to the
administrator of the originating page. He/she is the one who is supposed to
know best which content to allow.

This is a far better approach than mine. So I step back from my suggestion
and hope the solution presented in this specification is going to become a
standard soon. And hopefully it will find its way into IE9.



----------------------------------------
"Axel Dahmen" wrote:

> Jo Hermans pointed me to an excellent work on this topic from Mozilla:
>
> It's about Content Security Policy (in which case it would
> be the website itself that determines if a remote script is allowed or not):
>
> http://blog.mozilla.com/security/200...wser-security/

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Symantec Site Vulnerable to Cross-site Scripting Assaults Steve Security News 0 04-27-2009 02:10
Yahoo's HotJobs site vulnerable to cross-site scripting attack Steve Security News 0 10-28-2008 04:10
Yahoo swats serious cross-site scripting bug Steve Security News 0 06-25-2008 15:10
Cross-Site-Scripting with Morse code Steve Security News 0 05-06-2008 01:50
New cross-site scripting attack targets VoIP Steve Security News 0 10-18-2007 10:11




All times are GMT +1. The time now is 04:59.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120