Suggestion: Enable User To Allow Discrete Cross-Site-Scripting

[Axel Dahmen]

See here for the same suggetion for Firefox, including images:



https://bugzilla.mozilla.org/show_bug.cgi?id=547437





In the course of enforcing Same Origin policy, Internet Explorer (like other

browsers) blocks attempts to access content from other websites through,

e.g., elements or XMLHttpRequest calls.



Because this particularly stops Internet Explorer from making use of web

services by using the XMLHttpRequest object, I'd like to suggest to enable

the user to create a white list of web sites (or URL paths) that are allowed

to access a list of foreign websites (or URL paths).





Here are the details:



(I've created a couple of Firefox sample dialogs and added them as

attachments to the above hyperlink at Mozilla. I'm running the German version

of Firefox so they are all in German. Most content is taken from the current

pop-up configuration dialog.)





* Like with pop-up dialogs, Internet Explorer should provide a dialog where

the user can edit a white list [see CSS1.png].



* This white list should allow to enter websites (or URL paths, I can't

tell what's more appropriate).



* For each of these websites (or URL paths) the user should be able to

enter a number of websites (or URL paths) that the website may address

through an element or the XMLHttpRequest object (or any similar

means) [see CSS2.gif, which is animated]. In the following the former is

called "source websites", the latter "destination websites".



* [CSS2a.png] shows the dialog when the user is to enter a new source

website. [CSS2b.png] shows the dialog when the user is to enter a new

destination website for the selected source website ("mozilla.org" in this

example).



* The user should be able to grant access to ANY foreign destination

content for a source website (or URL path). The asterisk ought to be used to

denote that a source website (or URL path) may access any foreign destination

content [see CSS2d.png].



* The user might want to grant access to certain web services to ANY source

website without restriction (e.g. package tracking services). So entering an

asterisk into the list of source websites (or URL paths) would allow the

destination websites (or URL paths) listed in the destination list to be

accessed by any arbitrary source [see CSS2e.png].



* To inform the user of a blocked foreign request attempt, Internet

Explorer should display a yellow bar above a document when such request(s)

has or have been blocked. The yellow bar should allow to enter the currently

blocked request(s) into the white list an re-attempt to execute these

requests [see CSS3.png].





----------------

This post is a suggestion for Microsoft, and Microsoft responds to the

suggestions with the most votes. To vote for this suggestion, click the "I

Agree" button in the message pane. If you do not see the button, follow this

link to open the suggestion in the Microsoft Web-based Newsreader and then

click "I Agree" in the message pane.



http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general

 

[Twayne]

In news:A02CDD3D-CB43-4ED5-ABBC-FD59A914009F@microsoft.com,

Axel Dahmen typed:

> See here for the same suggetion for Firefox, including images:

>

> https://bugzilla.mozilla.org/show_bug.cgi?id=547437

....



>

>

> ----------------

> This post is a suggestion for Microsoft, and Microsoft responds to the

> suggestions with the most votes. To vote for this suggestion, click

> the "I Agree" button in the message pane. If you do not see the

> button, follow this link to open the suggestion in the Microsoft

> Web-based Newsreader and then click "I Agree" in the message pane.

>

> http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general



This isn't Microsoft the compan y. It's just a group of Microsoft users

helping each other. Contact MS directly but don't hold your breath for any

changes.



HTH,



Twayne

--

Newsgroups are great places to get assistance.

But always verify important information with

other sources to be certain you have a clear

understanding of it and that it is accurate.

 

[Axel Dahmen]

Hi Twayne,



I'm sorry to correct you, but I've entered this post using Microsoft Managed

Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read

it.



Did you read the automatically generated signature below my posting?



Here's a hyperlink to the web version of this thread:



http://www.microsoft.com/communitie...d5-abbc-fd59a914009f&cat=&lang=&cr=&sloc=&p=1



I'd very much appreciate your vote on this issue



Best regards,

Axel Dahmen





---------------------

"Twayne" wrote:

> This isn't Microsoft the compan y. It's just a group of Microsoft users

> helping each other. Contact MS directly but don't hold your breath for any

> changes.

>

> HTH,

>

> Twayne

 

[Axel Dahmen]

"Axel Dahmen" wrote:



> See here for the same suggetion for Firefox, including images:

> https://bugzilla.mozilla.org/show_bug.cgi?id=547437





Just to add to the above suggestion:





If using URL paths instead of domain names, some valid values might be:





file: http:

(= local files can access any http: destination)





file: *

(= local files can access any destination)





* http://www.ups.com/WebTracking/

(= files from any sources can access any resource at or below this http: path)





* https://www.ups.com/WebTracking/

(= files from any sources can access any resource at or below this https:

path)

 

[VanguardLH]

Axel Dahmen wrote:



> Hi Twayne,

>

> I'm sorry to correct you, but I've entered this post using Microsoft Managed

> Newsgroups, tagging it as "Suggestion for Microsoft". So they actually read

> it.



You are new here. This is NOT a forum. It is NOT monitored by Microsoft.

This is *Usenet* (aka newsgroups). Microsoft operates a pretend forum that

uses a gateway to Usenet. There are lots of leech sites that provide a

webnews-for-dummies interface to Usenet. Microsoft is hardly new at this

but was audacious in believing they could usurp Usenet for the microsoft.*

newsgroups by adding voting and suggestion signatures that are worthless in

Usenet and have very limited usefulness in their forum interface to Usenet.



What is Usenet:

http://en.wikipedia.org/wiki/Usenet

http://en.wikipedia.org/wiki/Newsgroups

http://www.masonicinfo.com/newsgroups.htm

http://www.mcfedries.com/Ramblings/usenet-primer.asp



When using a webnews-for-dummies interface (e.g., Microsoft's Communities,

Google Groups, or a leech site using a forum-to-Usenet proxy), those are

gateways to Usenet. Despite the pretense of a forum, you are participating

in a newsgroup (aka Usenet).



Good luck in trying to reach someone at Microsoft for your personal concerns

which have a tiny community that would want this feature. Microsoft listens

to large corporations who pay the big bucks for support. They have their MS

Connect site where you could try to submit a bug report (but then yours is a

Request for Enhancement rather than a bug report). Best you can probably do

is get involved as an early beta tester of version 9 to get your comments

reviewed by Microsoft (not later when they spew out a *public* beta that any

boob can download).



For now, and because XSS is a user-configurable option, and since this

appears a problem within your small community (like at some workplace), have

your users or use GPO to push out a policy that configures the Trusted Sites

security zone to disable the XSS option. Then put your site in the Trusted

Sites security zone. There's your whitelist which is voluntary to the users

as to how they configure (or established by company policy who can push

policies onto their employees).

 

[Axel Dahmen]

Vanguard,



"VanguardLH" wrote:

> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.



And YOU must be joking! But you are NOT funny!



Hey, I'm doing this for more almost twenty years now. And I don't need a

wise guys to tell me what I'm doing!



Have you followed the link that's automatically added to my post? I'm paying

lots of money for this functionality!



So, please, if you don't have any technical to reply to my suggestion, just

step back and let grown ups talk, will you?



Axel Dahmen

www.axeldahmen.de

http://www.dashop.de/blog/en/usenet/Invalid-Newsgroup-Statements.html

 

[VanguardLH]

Axel Dahmen wrote:



> Vanguard,

>

> "VanguardLH" wrote:

>> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.

>

> And YOU must be joking! But you are NOT funny!

>

> Hey, I'm doing this for more almost twenty years now. And I don't need a

> wise guys to tell me what I'm doing!



Since your 1st post, and especially your 2nd post, makes you appear that you

are ignorant about Microsoft operating a webnews-for-dummies gateway to

Usenet, and also because you ARE using the webnews-for-dummies interface

instead of a real newsreader to an NNTP server, you certainly appeared to be

naieve.



> Have you followed the link that's automatically added to my post?



The link in your first post is NOT added by you. It is appended to your

post AFTER you submit it and is added by Microsoft when using their webnews

interface to Usenet. The link in your second post merely points to the

forum's pointer but then we that use NNTP for Usenet don't need to waste

time looking at the same post in the webnews-for-dummies interface. All you

did in your 2nd post was link back to your 1st post which we already saw.



Oh, I was supposed to magically see your link (as if I'd waste my time

there) this post that didn't yet exist until you replied. Uh huh.



> I'm paying lots of money for this functionality!



No one has to pay to use Microsoft's webnews gateway. It's free. Same for

their NNTP server (msnews.microsoft.com). Want to try yet another story?



> So, please, if you don't have any technical to reply to my suggestion, just

> step back and let grown ups talk, will you?



Whine all you want. A solution was offered. That you don't like it doesn't

change that it exists. Apparently you don't have control over the user's

hosts to push policies on them. That also means that you would have no

control over pushing a whitelist on them, either, and if they whitelisted

you (already available) then it would be THEIR choice.

 

[Axel Dahmen]

Jo Hermans pointed me to an excellent work on this topic from Mozilla:



It's about Content Security Policy (in which case it would

be the website itself that determines if a remote script is allowed or not):



http://blog.mozilla.com/security/2009/09/30/a-glimpse-into-the-future-of-browser-security/

 

[Axel Dahmen]

Vanguard,



once and for all: If you do not follow links - or if you just don't know

what you're talking about - just keep quit and don't harrass people you don't

know with your personal opinion, will you? Have you ever read about things

like Netiquette?



Here's a final link for you. Apparently you don't seem to know about

Microsoft MSDN and MSDN Membership benefits and how it works:



http://msdn.microsoft.com/en-us/subscriptions/aa974230.aspx



Axel Dahmen

www.axeldahmen.de



*plonk*

 

[Axel Dahmen]

The CSP meta information solution brings the advantage of distinguishing

intended cross-site-scripting from malicious cross-site-scripting I wanted to

cope with by my suggestion but moves responsibility for white listing to the

administrator of the originating page. He/she is the one who is supposed to

know best which content to allow.



This is a far better approach than mine. So I step back from my suggestion

and hope the solution presented in this specification is going to become a

standard soon. And hopefully it will find its way into IE9.







----------------------------------------

"Axel Dahmen" wrote:



> Jo Hermans pointed me to an excellent work on this topic from Mozilla:

>

> It's about Content Security Policy (in which case it would

> be the website itself that determines if a remote script is allowed or not):

>

> http://blog.mozilla.com/security/2009/09/30/a-glimpse-into-the-future-of-browser-security/

 

[VanguardLH]

Axel Dahmen wrote:



> Vanguard,

>

> once and for all: If you do not follow links - or if you just don't know

> what you're talking about - just keep quit and don't harrass people you don't

> know with your personal opinion, will you? Have you ever read about things

> like Netiquette?



Arguing with you is not violative of netiquette. If you want only sweet

cooings in your ear that sate your ego and don't puncture your thin-skinned

ego then Usenet is not where you should visit.



> Here's a final link for you. Apparently you don't seem to know about

> Microsoft MSDN and MSDN Membership benefits and how it works:

>

> http://msdn.microsoft.com/en-us/subscriptions/aa974230.aspx

>

> Axel Dahmen

> www.axeldahmen.de



None of which changes that you are posting using a FREE webnews gateway to

Usenet that ANYONE can use. If did NOT have to pay to post here. If you

thought so, you got suckered into paying for what you can get for free.



Yeah, I know about MSDN and its subscriptions. Never bought one for

personal use but have it at work for both Development and QA groups. Still

doesn't change that WHERE you are posting is FREE, that it is a webnews

interface for a gateway to Usenet, and that suggestions here are only seen

by other users, not Microsoft.



> *plonk*



Oh yeah, I'm devastated now, for sure.

 

[N. Miller]

On Sun, 21 Feb 2010 00:13:01 -0800, Axel Dahmen wrote:



> "VanguardLH" wrote:



>> You are new here. This is NOT a forum. It is NOT monitored by Microsoft.



> And YOU must be joking! But you are NOT funny!

>

> Hey, I'm doing this for more almost twenty years now. And I don't need a

> wise guys to tell me what I'm doing!

>

> Have you followed the link that's automatically added to my post? I'm paying

> lots of money for this functionality!



You are referring to this suggestion, appended to your post by the Microsoft

Communities servers:



| ----------------

| This post is a suggestion for Microsoft, and Microsoft responds to the

| suggestions with the most votes. To vote for this suggestion, click the "I

| Agree" button in the message pane. If you do not see the button, follow this

| link to open the suggestion in the Microsoft Web-based Newsreader and then

| click "I Agree" in the message pane.



If I wanted to use the web view, I wouldn't use a proper NNTP reader. I've

never seen the point of reopening an article, just to vote for something.



> So, please, if you don't have any technical to reply to my suggestion, just

> step back and let grown ups talk, will you?



Wondering what makes you think you are more mature than any other poster ...

or they less mature than you.



BTW, WRT the voting button, you are not paying for that functionality. It is

a part of the Microsoft Communities, not your MSDN subscription.



--

Norman

~Oh Lord, why have you come

~To Konnyu, with the Lion and the Drum

 

[VanguardLH]

N. Miller wrote:



> BTW, WRT the voting button, you are not paying for that functionality. It is

> a part of the Microsoft Communities, not your MSDN subscription.



He appears to be in denial of the fact that EVERYONE gets to use the webnews

gateway provided by Microsoft - and for free.

 

[PA Bear, MS MVP]

> This post is a suggestion for Microsoft, and Microsoft responds to the

> suggestions with the most votes...



Yeah, right! If you believe that, I've got a bridge you may be

interested in buying.

 

[PA Bear [MS MVP]]

> Hey, I'm doing this for more almost twenty years now.



[Ooo, always a sign of an inflated, easily-bruised ego...]





Axel Dahmen wrote:

> Vanguard,

>

> "VanguardLH" wrote:

>> You are new here. This is NOT a forum. It is NOT monitored by

>> Microsoft.

>

> And YOU must be joking! But you are NOT funny!

>

> Hey, I'm doing this for more almost twenty years now. And I don't need a

> wise guys to tell me what I'm doing!

>

> Have you followed the link that's automatically added to my post? I'm

> paying

> lots of money for this functionality!

>

> So, please, if you don't have any technical to reply to my suggestion,

> just

> step back and let grown ups talk, will you?

>

> Axel Dahmen

> www.axeldahmen.de

> http://www.dashop.de/blog/en/usenet/Invalid-Newsgroup-Statements.html