71

I have created a Tor hidden service site which has absolutely no JavaScript or other types of client side scripts. The page is HTML, CSS, images, and some JSP for handling user input.

I encourage users to use NoScript, however many times users do not listen. Putting a big message across the page forcing them to disable scripts is too annoying to be useful, and users ignore warnings.

Is there a way I could make my site tell the user's browser that my page has no scripts, and if it finds any on the page then to ignore them?

I am doing this as an extra precaution against XSS which could be from malicious hackers, or from investigators attempting to identify IPs of users on my site.

EDIT: Just to make it clear I want the website to tell the browser to do this, I don't want to have to tell each visitor how to configure their browser. Users are dumb and lazy usually.

k1308517
  • 1,272
  • 14
  • 27
  • you could use the striptags function from PHP. users cant input any HTML tags including the script ones. XSS is only possible when you have desanitised userinput so you will have to sanitise their input to prevent xss. – Bomskie Jun 03 '16 at 11:28
  • @Bomskie I know, but as an extra protection. – k1308517 Jun 03 '16 at 11:45
  • 27
    Not really an answer, but you could add nag messages (or even disable the page) using... wait for it... scripts! So if they have ignored your advice to disable scripts, they will be nagged/disabled. But if they have disabled scripts as you have requested, they will see nothing but your site/service. – loneboat Jun 03 '16 at 14:35
  • 2
    @loneboat, "*... is too annoying to be useful.*" – user1717828 Jun 03 '16 at 15:43
  • Simple. If someone had scripts turn in for your site have JavaScript that will direct them somewhere else. – Matthew Whited Jun 04 '16 at 12:44
  • 9
    Is this 2016? "everything" needs JS; XSS is simply bad programming and can be avoided by a mile... – Kyslik Jun 04 '16 at 14:00
  • 3
    @Kyslik - Tor hidden service providers recommend disabling javascript mostly due to stuff like [this](http://boingboing.net/2013/08/04/anonymous-web-host-shut-down.html). As far as I'm aware, javascript is just as likely to be insecure today in 2016 as it was in 2013. – Jules Jun 05 '16 at 07:52
  • 1
    @loneboat But in case of a successful XSS attack the malicious script could disable the message. So the site would nag at users when everything is ok and won't when they are at risk. – kapex Jun 06 '16 at 09:04
  • 1
    @kapep: Heh, that's a good point. – loneboat Jun 06 '16 at 13:59
  • Nag messages using scripts would technically work. Except it would drive away some percentage of your visitors, and those driven away may spread the news, squashing new visitors by word-of-internet. Depending on how valuable your content is, that may too large of deterrent, or it might be OK. I would advise against this though, given the other details that you have shared. – YetAnotherRandomUser Oct 21 '17 at 18:18

1 Answers1

136

A good option is to harden your Content Security Policy. It allows you to fine-tune which resources the browser will load/run, and is supported by most browsers.

Consider the following header:

Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';

This tells the browser to disable scripts, frames, connections and any other objects/media. We then permit images and stylesheets to be loaded, but only from the same domain.

grc
  • 1,845
  • 2
  • 15
  • 9
  • 10
    Of course, if there is some man in the middle or browser plugin which wants to inject script it can simply delete the CSP header since the header is per response and not per site. – Steffen Ullrich Jun 03 '16 at 12:24
  • 82
    @SteffenUllrich if the attacker has enough control to modify the headers, I feel like they're already beyond XSS. – grc Jun 03 '16 at 12:39
  • 2
    I'm not sure, but I think this would block embedded fonts. That might or might not be intended. – Patrick M Jun 03 '16 at 14:53
  • 5
    @PatrickM you can set `font-src` as needed. – grc Jun 03 '16 at 15:13
  • 4
    @grc Ya. I wasn't disagreeing with your answer. I more meant it as a warning to the original poster that he might need to allow fonts too. – Patrick M Jun 03 '16 at 15:15
  • @SteffenUllrich So what you're saying is it would be nice if a similar configuration were possible through DNS records, or something along those lines? – Oliphaunt Jun 03 '16 at 22:10
  • 1
    @Oliphaunt: no I'm not saying that. I only pointed out that CSP header gives a page policy and not a site policy, i.e. contrary to HSTS. And thus could be easier disabled, depending on what modifications the attacker can do to the page. – Steffen Ullrich Jun 04 '16 at 04:45
  • 6
    Virtually all techniques for mitigating XSS, XSRF, etc assume the attacker *cannot* modify the page sent from server to user, because virtually all such mitigations would fail in that case. When talking about man-in-the-middle attacks, XSS, XSRF etc do not factor into that conversation - and as you rightly point out, at that point things like HSTS become relevant instead. It doesn't mean you don't try to mitigate XSS and XSRF as well, but that exists on a different layer of attacker access where there is not yet any possibility for man-in-the-middle. – thomasrutter Jun 06 '16 at 01:54
  • @PatrickM OP mentioned he was creating a Tor hidden service. Tor browser already blocks fonts, using only bundled fonts for rendering text. – forest Feb 21 '18 at 06:09