Most active commenters

    ←back to thread

    DOMPurify, Security in the DOM, and Why We Really Need Both [pdf]

    (www.usenix.org)
    72 points _vvhw | 12 comments | 25 Sep 19 08:42 UTC | HN request time: 0.415s | source | bottom
    1. zawerf ◴[25 Sep 19 10:30 UTC] No.21069377[source]
    I am always irrationally(?) scared of using these sanitizers despite their successful history. As soon as new html/js/css syntax/features are introduced, won't your security model need to be reevaluated? Which seems like a lost cause at the rate new capabilities are introduced to the web. E.g., when CSS Shaders lands, you might be able to execute arbitrary gpu code with just css (hypothetically speaking, I don't actually know how it will work. I am sure it'll be sandboxed pretty well. But the problem remains that there are too many new possibilities to keep up with!).
    replies(4): >>21069454 #>>21069510 #>>21069644 #>>21071017 #
    2. megous ◴[25 Sep 19 10:50 UTC] No.21069454[source]
    Make it a whitelist. :)
    replies(1): >>21069557 #
    3. _vvhw ◴[25 Sep 19 11:01 UTC] No.21069510[source]
    DOMPurify (as a client-side sanitizer) uses a whitelist. There's also CSP for defense-in-depth.

    I would be more concerned of using server-side sanitizers due to the impedance mismatch between client/server HTML parsing algorithms.

    4. zawerf ◴[25 Sep 19 11:09 UTC] No.21069557[source]
    It wouldn't help if new features extend the capabilities of existing stuff (which is done all the time). For example the CSS Shader example from before adds new syntax to the existing 'filter' css style, which you might've already whitelisted because it is safe today.
    replies(1): >>21069693 #
    5. dogma1138 ◴[25 Sep 19 11:26 UTC] No.21069644[source]
    Security models are constantly being re-evaluated as new threats and attack vectors emerge.

    What you said can be generically applied to every security control and which is why security is hard.

    6. ShaneCurran ◴[25 Sep 19 11:35 UTC] No.21069693{3}[source]
    I guess a nested, parameter-granularity whitelist would work in that case :)
    replies(1): >>21070036 #
    7. _vvhw ◴[25 Sep 19 12:23 UTC] No.21070036{4}[source]
    You can do that with DOMPurify using hooks.
    8. nullandvoid ◴[25 Sep 19 14:20 UTC] No.21071017[source]
    Isn't that like saying there's no point in using an anti virus as viruses are always evolving?

    You're still catching entire classes of existing issues..

    replies(3): >>21071586 #>>21071903 #>>21072437 #
    9. hannob ◴[25 Sep 19 15:19 UTC] No.21071586[source]
    > Isn't that like saying there's no point in using an anti virus as viruses are always evolving?

    You're very close to understanding something.

    (Though in defense of DOM purifiers they can use a whitelist)

    10. __s ◴[25 Sep 19 15:49 UTC] No.21071903[source]
    Bad example. Anti virus software is a scam. Just adds another attack vector when the anti virus software has a bug in their file parsing & makes it that you can be impacted by just downloading a malicious file

    Windows Defender is sufficient & bundled with Windows

    replies(1): >>21075859 #
    11. zAy0LfpBZLC8mAC ◴[25 Sep 19 16:38 UTC] No.21072437[source]
    You mean, you are catching exploits for vulnerabilities that don't exist anymore, and you pay for that with a gigantic attack surface that can be used to compromise you? Yeah, that sounds about right.
    12. nullandvoid ◴[25 Sep 19 21:44 UTC] No.21075859{3}[source]
    I mean I never said anything about buying one you just assumed that. I also just use windows defender of which part of that is an anti virus..