[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Gervase Markham gerv at gerv.net
Mon Jun 26 12:55:19 EDT 2006

Brian Eaton wrote:
> Servers will provide browsers with a policy describing what kinds of
> cross-site links are normal and should be permitted.  Browsers will
> compare the source and destination for cross-site transitions to the
> server policy for cross-site links.  If the transition does not match
> the server's policy document, then the browser will instead direct the
> user to a fallback page specified by the policy.

The reason that this is a complete non-starter is not due to any
security failing, but because it has the potential to break the web.

One of the key properties of the web is that anyone can link to
anywhere. If sites are allowed to start dictating who can link to them,
and browsers agree to cooperate with that dictation in the name of
security, then the web as we know it will be ended.

> Here's an example of what I'm thinking of:
> - Browser begins following a link from
> http://source.start.com/source.html to
> http://dest.finish.com/dest.html.
> - Browser downloads http://dest/cslpolicy.xml, or uses a cached copy
> of the policy.

So every single cross-site link into a site would lead to a hit or, much
more likely, a 404 on cslpolicy.xml?

We have enough trouble with this sort of thing with favicon.ico...
Server ops hate their error logs being filled.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list