66579 – [meta] XSSAuditor should have fewer false negatives

Bug 66579 - [meta] XSSAuditor should have fewer false negatives

Summary: [meta] XSSAuditor should have fewer false negatives

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	XSSAuditor

Depends on:	27895 29278 66580 66585 66588 66850 67091 67134 68094 68281 70255
Blocks:
	Show dependency tree / graph

Reported:	2011-08-19 13:26 PDT by Adam Barth
Modified:	2021-09-21 14:08 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Barth 2011-08-19 13:26:50 PDT

Currently the XSSAuditor has very few false positives, but it does have a number of false negatives.  False negatives a problematic because they let attackers bypass the filter, negating some of its security benefits.  False positives fall into two categories:

1) Tricky injections into in-scope injection contexts.
2) Injections into out-of-scope injection contexts.

Whether an injection context is in-scope is somewhat of an arbitrary distinction, but we should aim to tackle all the tricky injection vectors for the in-scope injection contexts before we expand to consider more contexts in-scope.  This approach puts us on a path to eliminating all the attack vectors for a given set of vulnerabilities rather than catching some, but not all, the attack vectors for a large number of vulnerabilities.

Let's use this bug as a meta bug for Type 1 vulnerabilities (which will appear as blocking this bug).

Comment 1 Brent Fulgham 2021-09-21 14:08:38 PDT

The XSS Auditor is removed in Bug 230499.