用户可编辑的 HTML XSS 保护(类似 tumblr) [英] User-editable HTML XSS protection (tumblr like)

问题描述

我希望我的服务有这样一个功能:作者可以完全自定义页面，但不能窃取用户的cookie.

Tumblr 遇到了一些麻烦，但成功解决了它们http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html

所以我需要解决方案

1. 没有节制
2. 用户-作者可以完全访问页面的 html 代码，不需要白名单过滤和模板语言(这就是现在的工作方式:()
3. 没有机会窃取彼此的 cookie(在其他作者的页面上)
4. 集中认证数据库
5. 可取:每个作者页面都无需身份验证

据我所知，tumblr:

1. 单独的域，不能访问彼此的 cookie
2. 用户仍然在每个子域上进行身份验证(如何??? www.tumblr.com js 可以访问主会话 cookie?那安全吗?)
3. auth cookie 应该是 httponly?..

我可以为用户提供安全舒适的解决方案吗?cookie 盗窃是完全访问 html 的主要问题吗?

解决方案

我希望我的服务有这样一个功能:作者可以完全自定义页面，但不能窃取用户的cookie.

所以我猜你想为他们启用 javascript 但你不想允许操纵 cookie.这应该很简单:只需在用户页面加载之前放置它:

if (document.__defineGetter__){document.__defineGetter__("cookie", function () { return ""; } );document.__defineSetter__("cookie", function () { } );}否则//IE{Object.defineProperty(document, "cookie",{得到:函数(){返回"；},设置:函数(){返回真；},});}

<小时><块引用>

用户仍然在每个子域上进行身份验证(如何??? www.tumblr.com js 可以访问主会话 cookie?那安全吗?)

这也很简单——cookies 支持这一点.它的 domain 属性:

Set-Cookie: name=value;路径=/；域=.example.com

<小时><块引用>

auth cookie 应该是 httponly?..

当然 - 它们应该是为了更好的安全性.

I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.

Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html

So I need the solution with

1. no moderation
2. full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( )
3. no opportunity to steal each others cookies (on pages of other authors)
4. centralized authentication db
5. desirable: without authentication on each authors page

As I understand tumblr:

1. separate domains without access to cookies of each other
2. users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
3. auth cookies should be httponly?..

Can I have secure and comfortable for users solution? Is cookie-theft the main issue of full access to html?

解决方案

I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.

So I guess that you want to enable javascript for them but you do not want to allow manipulating cookies. This should be simple: just place it before the user's page loads:

if (document.__defineGetter__)
{    
    document.__defineGetter__("cookie", function () { return ""; } );
    document.__defineSetter__("cookie", function () { } );
}
else // IE
{
    Object.defineProperty(document, "cookie",
    {
        get: function () { return ""; },
        set: function () { return true; },
    });
}

---

users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)

This is also simple - cookies supports this. Its domain attribute:

Set-Cookie: name=value; path=/; domain=.example.com

---

auth cookies should be httponly?..

Of course - they should be for the better security.

这篇关于用户可编辑的 HTML XSS 保护(类似 tumblr)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！