User-editable HTML XSS protection (tumblr like)

7
votes

I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.

Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html

So I need the solution with

  1. no moderation
  2. full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( )
  3. no opportunity to steal each others cookies (on pages of other authors)
  4. centralized authentication db
  5. desirable: without authentication on each authors page

As I understand tumblr:

  1. separate domains without access to cookies of each other
  2. users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
  3. auth cookies should be httponly?..

Can I have secure and comfortable for users solution? Is cookie-theft the main issue of full access to html?

1
securityxsstumblr

1 Answers

3
votes

I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.

So I guess that you want to enable javascript for them but you do not want to allow manipulating cookies. This should be simple: just place it before the user's page loads:

if (document.__defineGetter__)
{    
    document.__defineGetter__("cookie", function () { return ""; } );
    document.__defineSetter__("cookie", function () { } );
}
else // IE
{
    Object.defineProperty(document, "cookie",
    {
        get: function () { return ""; },
        set: function () { return true; },
    });
}

users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)

This is also simple - cookies supports this. Its domain attribute:

Set-Cookie: name=value; path=/; domain=.example.com

auth cookies should be httponly?..

Of course - they should be for the better security.