Status of proposed Firefox XSS filter in bug 528661?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Status of proposed Firefox XSS filter in bug 528661?

Andreas Vikne
Hello,

What is the current status of the proposed XSS filter for Firefox as
described in this bug report?
https://bugzilla.mozilla.org/show_bug.cgi?id=528661

I have found some more info regrading this filter:
https://wiki.mozilla.org/Security/Features/XSS_Filter
https://wiki.mozilla.org/Security/Reviews/xssfilter

I am interested in a working implementation of a XSS filter for Firefox
based on the same techniques described in these links. I do not find any
updates since 2012 about this topic, is this something that is completely
abandoned?
I understand that an XSS filter is not a prioritized feature, but is this
the only reason why there is no updates?

Regards, Andreas
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Status of proposed Firefox XSS filter in bug 528661?

Frederik Braun
Hi Andreas,

There have been numerous discussions, the latest one in late 2016 and we
had come to the conclusion that it is currently not worth the effort for
Firefox to provide a built-in feature:

An XSS filter can not protect against stored (aka persistent) XSS or DOM
XSS, which has recently become more and more prevalent recently.
An XSS filter is prone to security holes if not maintained very
diligently and actively. It is hard to justify security engineering time
on a feature that provides limited value.
Lastly, there is an XSS filter in NoScript that people can use.

If you're interested in implementing an XSS filter, I recommend doing
this as a Web Extension.
Maybe talk to Giorgio Maone (CCd), the NoScript maintainer and see if
there's a shared interest for shipping the NoScript xss-filter as its
own extension.

FWIW, the interesting code is at [1].

Good luck!
Freddy



[1] This is an unofficial mirror, but the most convenient way to link to
the source code for me:
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/RequestWatchdog.js#L343>
and
<https://github.com/avian2/noscript/blob/fa01ea95f206f73254e918dd2d4dcb41e1655e93/xpi/chrome/content/noscript/InjectionChecker.js>

On 28.02.2018 17:55, Andreas Vikne wrote:

> Hello,
>
> What is the current status of the proposed XSS filter for Firefox as
> described in this bug report?
> https://bugzilla.mozilla.org/show_bug.cgi?id=528661
>
> I have found some more info regrading this filter:
> https://wiki.mozilla.org/Security/Features/XSS_Filter
> https://wiki.mozilla.org/Security/Reviews/xssfilter
>
> I am interested in a working implementation of a XSS filter for Firefox
> based on the same techniques described in these links. I do not find any
> updates since 2012 about this topic, is this something that is completely
> abandoned?
> I understand that an XSS filter is not a prioritized feature, but is this
> the only reason why there is no updates?
>
> Regards, Andreas
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security