W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 16 Jul 2006 06:28:51 +1000
Message-ID: <44B95003.7030204@echeque.com>
To: public-usable-authentication@w3.org

Chris Drake wrote:
 > XSS can steal anything - passwords, pw-manager
 > credentials, and/or cookies - discussion of
 > HTTPS/pw-manager/etc as some kind of solution to XSS
 > simply makes no sense whatsoever.

Cross site scripting cannot steal something if the
script is not handling the information, but merely
triggering other software to obtain and send the data.

Of course, the correct solution to XSS is write one's
server site so that it is not vulnerable to XSS, rather
than to treat script as unreliable, but this turns out
to be surprisingly difficult, and one should ask why is
it so difficult - but doubtless if one did ask that, it
would be declared to be off topic.

          James A. Donald
Received on Saturday, 15 July 2006 20:29:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC