What is Self-XSS?
The recent Facebook attack signals that something needs to be done, but knowing the right response is tricky.
What is Mozilla doing about it?
It will probably look something like this:
How does this affect other Firefox developer tools?
How does this affect users?
|User||Is a developer?|
|Can recognize Self-XSS attack?||No||Added Self-XSS attacks protection.||Warned about Self-XSS, may benefit from protection.|
I think this is a fairly clear net win: Minor, one time only, inconvenience to a sub-set of web developers, vs. full-time protection for the many that wouldn't recognize a self-xss attack.
Objections: This is a user problem
Objections: This is a Facebook problem
While it's true that allowing untrusted, unvetted, third party, dynamic content onto your site is something to avoid, I don't think that fixing this either is going to happen, or would fix the problem. The attack could easily forward you to another site to see the clipboard injecting flash, before returning you to the original site for the 'paste' step.
Objections: This is a Flash problem
While it's true that Adobe's clipboard policies are more relaxed than those of major web browsers, we've seen people caught by instructions that ask people to select/copy their own attack script. We think that the level of pain caused to developers by the CSP solution is low enough that we can justify the additional protection.