- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 08 Nov 2010 17:00:32 +0100
- To: public-html-testsuite@w3.org
- Cc: "Jonas Sicking" <jonas@sicking.cc>, "Dominique Hazael-Massieux" <dom@w3.org>
While we had the meeting everyone in the room sort of agreed that the safest solution would be to host the test suite on a domain that could not be made same-origin with w3.org using document.domain. And one that would not share cookies either. Dominique suggested that we could instead try to avoid such holes by not putting files that allow for XSS on test.w3.org. When I relayed this nobody thought that would be a workable solution. It seems to me the most pragmatic solution here is to use a separate domain. This avoids the hassle of having to carefully review each file for XSS exploits and avoids tests having to be rewritten. It also removes the possibility for an exploit this way which seems like a major win. If people could reiterate their own points from the meeting that might help. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 8 November 2010 16:01:09 UTC