• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Suggestion: Enable User To Allow Discrete Cross-Site-Scripting

A

Axel Dahmen

Flightless Bird
See here for the same suggetion for Firefox, including images:

https://bugzilla.mozilla.org/show_bug.cgi?id=547437


In the course of enforcing Same Origin policy, Internet Explorer (like other
browsers) blocks attempts to access content from other websites through,
e.g., <iframe> elements or XMLHttpRequest calls.

Because this particularly stops Internet Explorer from making use of web
services by using the XMLHttpRequest object, I'd like to suggest to enable
the user to create a white list of web sites (or URL paths) that are allowed
to access a list of foreign websites (or URL paths).


Here are the details:

(I've created a couple of Firefox sample dialogs and added them as
attachments to the above hyperlink at Mozilla. I'm running the German version
of Firefox so they are all in German. Most content is taken from the current
pop-up configuration dialog.)


* Like with pop-up dialogs, Internet Explorer should provide a dialog where
the user can edit a white list [see CSS1.png].

* This white list should allow to enter websites (or URL paths, I can't
tell what's more appropriate).

* For each of these websites (or URL paths) the user should be able to
enter a number of websites (or URL paths) that the website may address
through an <iframe> element or the XMLHttpRequest object (or any similar
means) [see CSS2.gif, which is animated]. In the following the former is
called "source websites", the latter "destination websites".

* [CSS2a.png] shows the dialog when the user is to enter a new source
website. [CSS2b.png] shows the dialog when the user is to enter a new
destination website for the selected source website ("mozilla.org" in this
example).

* The user should be able to grant access to ANY foreign destination
content for a source website (or URL path). The asterisk ought to be used to
denote that a source website (or URL path) may access any foreign destination
content [see CSS2d.png].

* The user might want to grant access to certain web services to ANY source
website without restriction (e.g. package tracking services). So entering an
asterisk into the list of source websites (or URL paths) would allow the
destination websites (or URL paths) listed in the destination list to be
accessed by any arbitrary source [see CSS2e.png].

* To inform the user of a blocked foreign request attempt, Internet
Explorer should display a yellow bar above a document when such request(s)
has or have been blocked. The yellow bar should allow to enter the currently
blocked request(s) into the white list an re-attempt to execute these
requests [see CSS3.png].


----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
 
T

Twayne

Flightless Bird
In news:A02CDD3D-CB43-4ED5-ABBC-FD59A914009F@microsoft.com,
Axel Dahmen <keentoknow@newsgroup.nospam> typed:
> See here for the same suggetion for Firefox, including images:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=547437

....

>
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click
> the "I Agree" button in the message pane. If you do not see the
> button, follow this link to open the suggestion in the Microsoft
> Web-based Newsreader and then click "I Agree" in the message pane.
>
> http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general


This isn't Microsoft the compan y. It's just a group of Microsoft users
helping each other. Contact MS directly but don't hold your breath for any
changes.

HTH,

Twayne
--
Newsgroups are great places to get assistance.
But always verify important information with
other sources to be certain you have a clear
understanding of it and that it is accurate.
 
A

Axel Dahmen

Flightless Bird
Hi Twayne,

I'm sorry to correct you, but I've entered this post using Microsoft Managed
Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read
it.

Did you read the automatically generated signature below my posting?

Here's a hyperlink to the web version of this thread:

http://www.microsoft.com/communitie...d5-abbc-fd59a914009f&cat=&lang=&cr=&sloc=&p=1

I'd very much appreciate your vote on this issue ;)

Best regards,
Axel Dahmen


---------------------
"Twayne" wrote:
> This isn't Microsoft the compan y. It's just a group of Microsoft users
> helping each other. Contact MS directly but don't hold your breath for any
> changes.
>
> HTH,
>
> Twayne
 
A

Axel Dahmen

Flightless Bird
"Axel Dahmen" wrote:

> See here for the same suggetion for Firefox, including images:
> https://bugzilla.mozilla.org/show_bug.cgi?id=547437



Just to add to the above suggestion:


If using URL paths instead of domain names, some valid values might be:


file: http:
(= local files can access any http: destination)


file: *
(= local files can access any destination)


* http://www.ups.com/WebTracking/
(= files from any sources can access any resource at or below this http: path)


* https://www.ups.com/WebTracking/
(= files from any sources can access any resource at or below this https:
path)
 
V

VanguardLH

Flightless Bird
Axel Dahmen wrote:

> Hi Twayne,
>
> I'm sorry to correct you, but I've entered this post using Microsoft Managed
> Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read
> it.


You are new here. This is NOT a forum. It is NOT monitored by Microsoft.
This is *Usenet* (aka newsgroups). Microsoft operates a pretend forum that
uses a gateway to Usenet. There are lots of leech sites that provide a
webnews-for-dummies interface to Usenet. Microsoft is hardly new at this
but was audacious in believing they could usurp Usenet for the microsoft.*
newsgroups by adding voting and suggestion signatures that are worthless in
Usenet and have very limited usefulness in their forum interface to Usenet.

What is Usenet:
http://en.wikipedia.org/wiki/Usenet
http://en.wikipedia.org/wiki/Newsgroups
http://www.masonicinfo.com/newsgroups.htm
http://www.mcfedries.com/Ramblings/usenet-primer.asp

When using a webnews-for-dummies interface (e.g., Microsoft's Communities,
Google Groups, or a leech site using a forum-to-Usenet proxy), those are
gateways to Usenet. Despite the pretense of a forum, you are participating
in a newsgroup (aka Usenet).

Good luck in trying to reach someone at Microsoft for your personal concerns
which have a tiny community that would want this feature. Microsoft listens
to large corporations who pay the big bucks for support. They have their MS
Connect site where you could try to submit a bug report (but then yours is a
Request for Enhancement rather than a bug report). Best you can probably do
is get involved as an early beta tester of version 9 to get your comments
reviewed by Microsoft (not later when they spew out a *public* beta that any
boob can download).

For now, and because XSS is a user-configurable option, and since this
appears a problem within your small community (like at some workplace), have
your users or use GPO to push out a policy that configures the Trusted Sites
security zone to disable the XSS option. Then put your site in the Trusted
Sites security zone. There's your whitelist which is voluntary to the users
as to how they configure (or established by company policy who can push
policies onto their employees).
 
A

Axel Dahmen

Flightless Bird
Vanguard,

"VanguardLH" wrote:
> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.


And YOU must be joking! But you are NOT funny!

Hey, I'm doing this for more almost twenty years now. And I don't need a
wise guys to tell me what I'm doing!

Have you followed the link that's automatically added to my post? I'm paying
lots of money for this functionality!

So, please, if you don't have any technical to reply to my suggestion, just
step back and let grown ups talk, will you?

Axel Dahmen
www.axeldahmen.de
http://www.dashop.de/blog/en/usenet/Invalid-Newsgroup-Statements.html
 
V

VanguardLH

Flightless Bird
Axel Dahmen wrote:

> Vanguard,
>
> "VanguardLH" wrote:
>> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.

>
> And YOU must be joking! But you are NOT funny!
>
> Hey, I'm doing this for more almost twenty years now. And I don't need a
> wise guys to tell me what I'm doing!


Since your 1st post, and especially your 2nd post, makes you appear that you
are ignorant about Microsoft operating a webnews-for-dummies gateway to
Usenet, and also because you ARE using the webnews-for-dummies interface
instead of a real newsreader to an NNTP server, you certainly appeared to be
naieve.

> Have you followed the link that's automatically added to my post?


The link in your first post is NOT added by you. It is appended to your
post AFTER you submit it and is added by Microsoft when using their webnews
interface to Usenet. The link in your second post merely points to the
forum's pointer but then we that use NNTP for Usenet don't need to waste
time looking at the same post in the webnews-for-dummies interface. All you
did in your 2nd post was link back to your 1st post which we already saw.

Oh, I was supposed to magically see your link (as if I'd waste my time
there) this post that didn't yet exist until you replied. Uh huh.

> I'm paying lots of money for this functionality!


No one has to pay to use Microsoft's webnews gateway. It's free. Same for
their NNTP server (msnews.microsoft.com). Want to try yet another story?

> So, please, if you don't have any technical to reply to my suggestion, just
> step back and let grown ups talk, will you?


Whine all you want. A solution was offered. That you don't like it doesn't
change that it exists. Apparently you don't have control over the user's
hosts to push policies on them. That also means that you would have no
control over pushing a whitelist on them, either, and if they whitelisted
you (already available) then it would be THEIR choice.
 
A

Axel Dahmen

Flightless Bird
Vanguard,

once and for all: If you do not follow links - or if you just don't know
what you're talking about - just keep quit and don't harrass people you don't
know with your personal opinion, will you? Have you ever read about things
like Netiquette?

Here's a final link for you. Apparently you don't seem to know about
Microsoft MSDN and MSDN Membership benefits and how it works:

http://msdn.microsoft.com/en-us/subscriptions/aa974230.aspx

Axel Dahmen
www.axeldahmen.de

*plonk*
 
A

Axel Dahmen

Flightless Bird
The CSP meta information solution brings the advantage of distinguishing
intended cross-site-scripting from malicious cross-site-scripting I wanted to
cope with by my suggestion but moves responsibility for white listing to the
administrator of the originating page. He/she is the one who is supposed to
know best which content to allow.

This is a far better approach than mine. So I step back from my suggestion
and hope the solution presented in this specification is going to become a
standard soon. And hopefully it will find its way into IE9.



----------------------------------------
"Axel Dahmen" wrote:

> Jo Hermans pointed me to an excellent work on this topic from Mozilla:
>
> It's about Content Security Policy (in which case it would
> be the website itself that determines if a remote script is allowed or not):
>
> http://blog.mozilla.com/security/2009/09/30/a-glimpse-into-the-future-of-browser-security/
 
V

VanguardLH

Flightless Bird
Axel Dahmen wrote:

> Vanguard,
>
> once and for all: If you do not follow links - or if you just don't know
> what you're talking about - just keep quit and don't harrass people you don't
> know with your personal opinion, will you? Have you ever read about things
> like Netiquette?


Arguing with you is not violative of netiquette. If you want only sweet
cooings in your ear that sate your ego and don't puncture your thin-skinned
ego then Usenet is not where you should visit.

> Here's a final link for you. Apparently you don't seem to know about
> Microsoft MSDN and MSDN Membership benefits and how it works:
>
> http://msdn.microsoft.com/en-us/subscriptions/aa974230.aspx
>
> Axel Dahmen
> www.axeldahmen.de


None of which changes that you are posting using a FREE webnews gateway to
Usenet that ANYONE can use. If did NOT have to pay to post here. If you
thought so, you got suckered into paying for what you can get for free.

Yeah, I know about MSDN and its subscriptions. Never bought one for
personal use but have it at work for both Development and QA groups. Still
doesn't change that WHERE you are posting is FREE, that it is a webnews
interface for a gateway to Usenet, and that suggestions here are only seen
by other users, not Microsoft.

> *plonk*


Oh yeah, I'm devastated now, for sure.
 
N

N. Miller

Flightless Bird
On Sun, 21 Feb 2010 00:13:01 -0800, Axel Dahmen wrote:

> "VanguardLH" wrote:


>> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.


> And YOU must be joking! But you are NOT funny!
>
> Hey, I'm doing this for more almost twenty years now. And I don't need a
> wise guys to tell me what I'm doing!
>
> Have you followed the link that's automatically added to my post? I'm paying
> lots of money for this functionality!


You are referring to this suggestion, appended to your post by the Microsoft
Communities servers:

| ----------------
| This post is a suggestion for Microsoft, and Microsoft responds to the
| suggestions with the most votes. To vote for this suggestion, click the "I
| Agree" button in the message pane. If you do not see the button, follow this
| link to open the suggestion in the Microsoft Web-based Newsreader and then
| click "I Agree" in the message pane.

If I wanted to use the web view, I wouldn't use a proper NNTP reader. I've
never seen the point of reopening an article, just to vote for something.

> So, please, if you don't have any technical to reply to my suggestion, just
> step back and let grown ups talk, will you?


Wondering what makes you think you are more mature than any other poster ...
or they less mature than you.

BTW, WRT the voting button, you are not paying for that functionality. It is
a part of the Microsoft Communities, not your MSDN subscription.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
 
V

VanguardLH

Flightless Bird
N. Miller wrote:

> BTW, WRT the voting button, you are not paying for that functionality. It is
> a part of the Microsoft Communities, not your MSDN subscription.


He appears to be in denial of the fact that EVERYONE gets to use the webnews
gateway provided by Microsoft - and for free.
 
P

PA Bear, MS MVP

Flightless Bird
<snip>
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes...


Yeah, right! If you believe that, I've got a bridge you may be
interested in buying.
 
P

PA Bear [MS MVP]

Flightless Bird
> Hey, I'm doing this for more almost twenty years now.

[Ooo, always a sign of an inflated, easily-bruised ego...]


Axel Dahmen wrote:
> Vanguard,
>
> "VanguardLH" wrote:
>> You are new here. This is NOT a forum. It is NOT monitored by
>> Microsoft.

>
> And YOU must be joking! But you are NOT funny!
>
> Hey, I'm doing this for more almost twenty years now. And I don't need a
> wise guys to tell me what I'm doing!
>
> Have you followed the link that's automatically added to my post? I'm
> paying
> lots of money for this functionality!
>
> So, please, if you don't have any technical to reply to my suggestion,
> just
> step back and let grown ups talk, will you?
>
> Axel Dahmen
> www.axeldahmen.de
> http://www.dashop.de/blog/en/usenet/Invalid-Newsgroup-Statements.html
 
Top