W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: Re[2]: AW: AW: Secure Chrome

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 16 Jul 2006 18:00:18 +0200
To: Chris Drake <christopher@pobox.com>
Cc: public-usable-authentication@w3.org
Message-ID: <51nkb2db3rvv7n97iinrpqr7clrebcor4q@hive.bjoern.hoehrmann.de>

* Chris Drake wrote:
>XSS can steal *anything* that the browser can access - [...]

XSS exploits are based on client-side scripting. For such a script to
access some information, the browser has to provide an API to access
the information. If the browser does not provide an API to access it,
the information cannot be stolen by a script. So what you are saying
is that browsers provide APIs that allow unrestricted read access on
your computer to any web site you visit without consulting the user.

My browser has read access to, among many other things, virtually all
files on my computer. If, as you say, the browser makes all my files
available to any web site I visit, without ever asking or telling me,
why would I use the browser to an extent where I worry about usable
authentication? I would not use such software at all!
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 16 July 2006 16:00:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT