W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 02 Jan 2008 19:39:14 +0100
To: "Close, Tyler J." <tyler.close@hp.com>, "Ian Hickson" <ian@hixie.ch>
Cc: "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <op.t4bffod764w2qv@annevk-t60.oslo.opera.com>

On Wed, 02 Jan 2008 19:26:03 +0100, Close, Tyler J. <tyler.close@hp.com>  
wrote:
> Sure, but the question is: "Who's responsibility is it?". In my opinion,  
> it is the server's responsibility to ensure a safe default for each  
> resource. You seem to have the perspective that it's the client's  
> responsibility.

Most XSS problems have been due to lack of knowledge of the authors. SQL  
injection is a big one for instance. Also script injection due to lack of  
escaping on the server side. Trusting the authors to do the right thing  
does not seem responsible at all.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 2 January 2008 18:37:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT