用户可编辑的 HTML XSS 保护(类似 tumblr) [英] User-editable HTML XSS protection (tumblr like)
问题描述
我希望我的服务有这样一个功能:作者可以完全自定义页面,但不能窃取用户的cookie.
Tumblr 遇到了一些麻烦,但成功解决了它们http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html
所以我需要解决方案
- 没有节制
- 用户-作者可以完全访问页面的 html 代码,不需要白名单过滤和模板语言(这就是现在的工作方式:()
- 没有机会窃取彼此的 cookie(在其他作者的页面上)
- 集中认证数据库
- 可取:每个作者页面都无需身份验证
据我所知,tumblr:
- 单独的域,不能访问彼此的 cookie
- 用户仍然在每个子域上进行身份验证(如何??? www.tumblr.com js 可以访问主会话 cookie?那安全吗?)
- auth cookie 应该是 httponly?..
我可以为用户提供安全舒适的解决方案吗?cookie 盗窃是完全访问 html 的主要问题吗?
我希望我的服务有这样一个功能:作者可以完全自定义页面,但不能窃取用户的cookie.
所以我猜你想为他们启用 javascript 但你不想允许操纵 cookie.这应该很简单:只需在用户页面加载之前放置它:
if (document.__defineGetter__){document.__defineGetter__("cookie", function () { return ""; } );document.__defineSetter__("cookie", function () { } );}否则//IE{Object.defineProperty(document, "cookie",{得到:函数(){返回";},设置:函数(){返回真;},});}
<小时><块引用>
用户仍然在每个子域上进行身份验证(如何??? www.tumblr.com js 可以访问主会话 cookie?那安全吗?)
这也很简单——cookies 支持这一点.它的 domain
属性:
Set-Cookie: name=value;路径=/;域=.example.com
<小时><块引用>
auth cookie 应该是 httponly?..
当然 - 它们应该是为了更好的安全性.
I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.
Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html
So I need the solution with
- no moderation
- full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( )
- no opportunity to steal each others cookies (on pages of other authors)
- centralized authentication db
- desirable: without authentication on each authors page
As I understand tumblr:
- separate domains without access to cookies of each other
- users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
- auth cookies should be httponly?..
Can I have secure and comfortable for users solution? Is cookie-theft the main issue of full access to html?
I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.
So I guess that you want to enable javascript for them but you do not want to allow manipulating cookies. This should be simple: just place it before the user's page loads:
if (document.__defineGetter__)
{
document.__defineGetter__("cookie", function () { return ""; } );
document.__defineSetter__("cookie", function () { } );
}
else // IE
{
Object.defineProperty(document, "cookie",
{
get: function () { return ""; },
set: function () { return true; },
});
}
users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
This is also simple - cookies supports this. Its domain
attribute:
Set-Cookie: name=value; path=/; domain=.example.com
auth cookies should be httponly?..
Of course - they should be for the better security.
这篇关于用户可编辑的 HTML XSS 保护(类似 tumblr)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!