current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 40 down vote favorite
17

I have created a Tor hidden service site which has absolutely no JavaScript or other types of client side scripts. The page is HTML, CSS, images, and some JSP for handling user input.

I encourage users to use NoScript, however many times users do not listen. Putting a big message across the page forcing them to disable scripts is too annoying to be useful, and users ignore warnings.

Is there a way I could make my site tell the user's browser that my page has no scripts, and if it finds any on the page then to ignore them?

I am doing this as an extra precaution against XSS which could be from malicious hackers, or from investigators attempting to identify IPs of users on my site.

EDIT: Just to make it clear I want the website to tell the browser to do this, I don't want to have to tell each visitor how to configure their browser. Users are dumb and lazy usually.

share|improve this question
    
you could use the striptags function from PHP. users cant input any HTML tags including the script ones. XSS is only possible when you have desanitised userinput so you will have to sanitise their input to prevent xss. – Bomskie yesterday
2  
This is as far as my knowledge goes. Sorry man. – Bomskie yesterday
11  
Not really an answer, but you could add nag messages (or even disable the page) using... wait for it... scripts! So if they have ignored your advice to disable scripts, they will be nagged/disabled. But if they have disabled scripts as you have requested, they will see nothing but your site/service. – loneboat yesterday
1  
@loneboat, "... is too annoying to be useful." – user1717828 yesterday
1  
Is this 2016? "everything" needs JS; XSS is simply bad programming and can be avoided by a mile... – Kyslik 16 hours ago
up vote 83 down vote accepted

A good option is to harden your Content Security Policy. It allows you to fine-tune which resources the browser will load/run, and is supported by most browsers.

Consider the following header:

Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';

This tells the browser to disable scripts, frames, connections and any other objects/media. We then permit images and stylesheets to be loaded, but only from the same domain.

share|improve this answer
6  
Of course, if there is some man in the middle or browser plugin which wants to inject script it can simply delete the CSP header since the header is per response and not per site. – Steffen Ullrich yesterday
42  
@SteffenUllrich if the attacker has enough control to modify the headers, I feel like they're already beyond XSS. – grc yesterday
2  
I'm not sure, but I think this would block embedded fonts. That might or might not be intended. – Patrick M yesterday
2  
@PatrickM you can set font-src as needed. – grc yesterday
2  
@grc Ya. I wasn't disagreeing with your answer. I more meant it as a warning to the original poster that he might need to allow fonts too. – Patrick M yesterday

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.