20070812

Content Restrictions - A Call for Input

Link

RSnake has had several conversations with the Mozilla team on some security features he would like to see, and the one they've latched onto is Content Restrictions. The idea is that a site can tell your browser "I only serve these types of content, don't accept anything else from me" RSnake has asked folks to provide their input on what they'd like to see.

Here's how I'd like to see that pan out:

  • The content-type restrictions probably should not go into an XML file, or the browser should have serious restrictions on the XML, such as not expanding entities, etc. If I can't trust the site for some reason, how am I to trust that the XML won't DoS my browser?
  • The content-type restrictions should probably come in headers (a la Etag's), not on a file on the root of the site (a-la robots.txt), because the restrictions may be different in different paths of the site - consider a single host that hosts several applications, each of those may return different types of content. This would also give applications the ability to dynamically change those restrictions (unfortunately, if there's header injection or response-splitting, the attack can certainly mangle these responses as well).
  • If I can tell a browser only to trust me so far, it would be wonderful to be able to extend this even further. For example: don't trust 302's from me that take you out of my domain (WOW!), don't send back any requests to me that wouldn't also send Cookie n. Only POST to me if post parameter n is included, don't ever GET, HEAD, TRACE, to these paths - only POST.
And then this is off the topic, but one feature I'd love to see is for the Yes or OK button to default to doing the right thing. For example, if a site has an expired certificate, if you click Yes, Yes means to do the very bad thing we just told you not to. Anti-phishing says Click Yes to visit this naughty site we've already determined is naughty. If they know it's naughty, they know what it's trying to spoof, so make Yes take you to the real site, not the fake one.

Be sure to send your input to RSnake.

0 comments: