Brandon Sterne from Mozilla has been working on a way to solve the security threats caused by the requirement of clients to upload dynamic content to web servers. These threats manifest themselves in the form of XSS and CSRF attacks. Brandon’s ideas are being formulated into a specification called Site Security Policy which you can read about here:-
http://people.mozilla.com/~bsterne/site-security-policy/details.html
There is further discussion on the topic over at Jeremiah Grossman’s blog which can be found here:-
http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html
I guess the success of the specification will depend on what its goals are. Does it want to develop a comprehensive solution to mitigate XSS and CSRF attacks, or is it going a focused specification. I tend to think that keeping security solutions simple (even if they are not compressive) can allow for a much greater adoption rate. The other point to consider is that you don’t have to completely remove a threat on the Internet to be a success. We should be trying to implement changes that will force the “blackhats/bot herders/etc” to change their business model. There is a point where it wont be cost effective to use attacks like drive-by-downloads. To reach this point should be our first goal.
