[zerognowl]

CSP is another baseline config that web application developers consistently don't include for whatever reason. It could be plain ignorance, but I think it goes deeper than that: I think CSP is too specific for the larger problem at hand which is Javascript itself. If I want to perform XSS on a site, I will find a way. There are still unpatched SVG vectors I can use in Chrome which have gone un-noticed for the longest time, and they will, can, and are being used today. There's just too many code paths in browsers to exploit, and CSP only partially addresses the problem. I'm still seeing TrueType libraries from the 90s executing arbitrary code in browsers, and it's 2016.

[magicalist]

> There are still unpatched SVG vectors I can use in Chrome which have gone un-noticed for the longest time, and they will, can, and are being used today.

If you know of exploitable XSS vectors in SVG implementations, you should report them. Not only would you get some nice big bug bounties, you'd, you know, close XSS vulnerabilities for hundreds of millions of people.

[zerognowl]

I have been tempted to go down the bug bounty route, but in this particular instance I might get a small win, but not contribute to the larger problem of browsers and javascript themselves. Browsers are a teeming big ball of complexity and rather than patch and forget, I would rather stick to a single duty, stripped down program like Lynx, or a hardened version of Firefox with heavy about:config tweaks. And of course, Javascript turned off at all costs. I routinely ask people on public forums to switch to Firefox and block JavaScript, and I am a firm advocate of Lynx for surfing text-based websites. I might not be able to view some websites, but that's on them. It's a webmaster's job to make a website accessible, not mine.

[daenney]

That's all great and dandy for you and the few people inside your circle of influence but there's a bajillion people on the internet, using all kinds of devices, for whom this is impractical to impossible.

Even getting this kind of attack mitigated in one of the major browsers makes this a much less appealing thing to try and exploit and raises awareness of the problems potentially improving everyone's security.

Putting this kind of responsibility on others makes you part of the problem, instead you could help in being the solution. That's not to say webmaster shouldn't be doing a better job at this, but sometimes their abilities are limited. I'm surprised that anyone would be willing to then as a consequence let this be inflicted on others if they had the ability to do something substantial about it.

[magicalist]

Yeah, I'm going to go out on a limb and suggest that you haven't really looked into your ideas for these attacks, and if you did you'd discover they weren't actually exploitable.

[zerognowl]

No, I stated I took out entire classes of attacks by using a single duty browser like Lynx and a hardened version of Firefox with JS disabled. Rather than patch and forget, I addressed the larger problem head on. The last thing a browser vendor wants to hear is a user complaining that JavaScript is enabled by default. There is a vested interest in having JavaScript all pervasive in browsers now, and huge lobby groups campaigning for a JavaScript only web, and this is very counter productive. Of course I can exploit Chrome and those exploits do work. My issue is that even if I report them, another one will popup because the design of Chrome (and Firefox) is fundamentally flawed from the very outset. Complexity is the enemy of security, and the onus is on the user to mitigate, not always on the vendors, or the bug reporting ecosystem, or even the bug bounty programs.

[moloch]

SVG should only be executing in a null origin if it is not blocked by the CSP.