>
From the perspective of a web application programmer and security
consultant, I think it would be very useful to have HTML tags to mark HTML
sections where active content should be disabled, possibly selected active
content.
Right now the HTML environment with respect to potentially dangerous
content is:
In order to stop, you must make sure that none of the 1001 GO buttons were
pressed before. There is no STOP button. No Big Red Emergency Stop button.
This seems to be a disaster prone situation. Like driving a car without
brakes. Only experts can do it, and typically even they screw up too.
I think we need some form of brakes. Something like the following:
<activeoff lock="matchingrandomstring" allowed="java" />
Any active content disabled here. Even if slips past site's filters.
<activeon lock="matchingrandomstring" />
The disabled active content reenabled. Does not mean everything enabled,
just those disabled earlier.
(The /> is to make it XHTML compatible ala the BR tag).
This would be especially good for sites displaying 3rd party/possibly
hostile content- for example: webmail sites (Hotmail, Yahoo), discussion
sites (slashdot, kuro5hin, etc), sites displaying syndicated content from
other sources, or even search engines.
Reasoning:
1) Though sites should still filter any content they display, there have
been cases where due to browser parser differences, attackers can still
slip in dangerous active content. Sites are unable to deal with the myriad
browser bugs.
2) There are too many ways to slip in dangerous content. And the number of
ways seems to be increasing not decreasing.
3) There aren't enough tags to disable dangerous content, only way to
ensure is to make sure that no dangerous content appears anywhere.
4) With a tag like this, sites can enable active content under their
control, whilst reducing the chance that malicious active content will
affect their users. Users can thus be more confident about enabling active
content.
Finally:
I have exploited sites just by using IFRAMEs or images alone. So rather
than just disabling active content it may actually be good to have a tag
that selectively disables stuff, or a "safe HTML only" option, the typical
safe HTML sites allow - no images, no IFRAMEs. So maybe instead of
activeoff it should be something like:
<htmlmode option="safe" allowed="a,table" lock="randomstring">
But implementation complexity could increase. Simplicity is the target -
simple = less bugs, easy adoption.
If there were tags to disable stuff like this became common usage, it could
be very much harder to do mischief.
This is not a total solution. There are no 100% solutions in security. This
is a safety aid - seat belt, air bag, brakes etc. Just because brakes
aren't a 100% solution to driving safely doesn't mean you don't need
brakes.
I have tried the www-html list, and other places, nothing happened, many
people didn't even understand the problem or concept, but still objected
anyway.
Link.