W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 02 Jan 2008 19:39:14 +0100
To: "Close, Tyler J." <tyler.close@hp.com>, "Ian Hickson" <ian@hixie.ch>
Cc: "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <op.t4bffod764w2qv@annevk-t60.oslo.opera.com>

On Wed, 02 Jan 2008 19:26:03 +0100, Close, Tyler J. <tyler.close@hp.com>  
> Sure, but the question is: "Who's responsibility is it?". In my opinion,  
> it is the server's responsibility to ensure a safe default for each  
> resource. You seem to have the perspective that it's the client's  
> responsibility.

Most XSS problems have been due to lack of knowledge of the authors. SQL  
injection is a big one for instance. Also script injection due to lack of  
escaping on the server side. Trusting the authors to do the right thing  
does not seem responsible at all.

Anne van Kesteren
Received on Wednesday, 2 January 2008 18:37:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC