W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 16 Jul 2006 06:28:51 +1000
Message-ID: <44B95003.7030204@echeque.com>
To: public-usable-authentication@w3.org

     --
Chris Drake wrote:
 > XSS can steal anything - passwords, pw-manager
 > credentials, and/or cookies - discussion of
 > HTTPS/pw-manager/etc as some kind of solution to XSS
 > simply makes no sense whatsoever.

Cross site scripting cannot steal something if the
script is not handling the information, but merely
triggering other software to obtain and send the data.

Of course, the correct solution to XSS is write one's
server site so that it is not vulnerable to XSS, rather
than to treat script as unreliable, but this turns out
to be surprisingly difficult, and one should ask why is
it so difficult - but doubtless if one did ask that, it
would be declared to be off topic.



     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      3Adk9thyd83QN9PhxcBGp7fLfpEaw7/6X7JnkkK4
      4/QfHLfr2+wxvKji7+95nPW9yvySotFtntQO93OqP
Received on Saturday, 15 July 2006 20:29:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT