Allowing JavaScript and preventing XSS

Dear Rails enthusiants,

I’m currently developing a web app that allows each user to modify his
page, using any HTML and any JavaScript. Sure, they can mess up their
own page, but what I worry is cross-site scripting vulnerabilities,
especially cookie replay/session hijacking.

What I worry is that if a user creates a page and fetches the current
cookie, and save it somewhere else. The user who visits the page
doesn’t know about that.

I wonder what’s the solution for this. Thank you in advance.


Hendy I.
Web: http://hendy.gauldong.net
Mobile: +62 856 24889899
Yahoo Messenger: ceefour666

Hendy I. wrote:

Dear Rails enthusiants,

I’m currently developing a web app that allows each user to modify his
page, using any HTML and any JavaScript. Sure, they can mess up their
own page, but what I worry is cross-site scripting vulnerabilities,
especially cookie replay/session hijacking.

What I worry is that if a user creates a page and fetches the current
cookie, and save it somewhere else. The user who visits the page
doesn’t know about that.

I wonder what’s the solution for this. Thank you in advance.


Hendy I.
Web: http://hendy.gauldong.net
Mobile: +62 856 24889899
Yahoo Messenger: ceefour666

Giving each user their own sub domain would prevent the browser from
allowing access to the cookies from the other subdomains. If someone is
logged in to foo.com the cookie would nto be available if you were
browsing bar.foo.com.

The only other way I can think of is to somehow filter out the
javascript function that read cookies, but that seems like it would be
too easy to get workarounds like including a js file from outside the
site.

On 11/11/06, Alex W. [email protected] wrote:

Giving each user their own sub domain would prevent the browser from
allowing access to the cookies from the other subdomains. If someone is
logged in to foo.com the cookie would nto be available if you were
browsing bar.foo.com.
Oomph, I’m not considering subdomains yet, too complicated.

I’m not planning to limit JavaScript, but more like designing which
security works best so that JavaScript can’t take advantage of it (so,
it’s more the server-side).

Maybe using HTTP authentication? But this way, cookie/session doesn’t
work. Maybe HTTP auth + cookie? (so that cookie itself doesn’t count
as “legit” session).

I’m also considering associating an IP address with a session, but I
understand that some people have rotated proxies and a group of people
even surf with the same IP. So I don’t think it’s a good solution.


Hendy I.
Web: http://hendy.gauldong.net
Mobile: +62 856 24889899
Yahoo Messenger: ceefour666