W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re[4]: AW: AW: Secure Chrome

From: Chris Drake <christopher@pobox.com>
Date: Mon, 17 Jul 2006 16:25:53 +1000
Message-ID: <47804913.20060717162553@pobox.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: public-usable-authentication@w3.org

Hi Bjoern,

Might I respectfully suggest that if you don't understand XSS (and
specifically, how web sites initiate authentication and how they
function post-authentication), either learn about it, or ask people
off-list - don't broadcast silliness and insulting misrepresentations
like "If, as you say, the browser makes all my files available to any
web site I visit" on public forums.

Kind Regards,
Chris Drake


Monday, July 17, 2006, 2:00:18 AM, you wrote:


BH> * Chris Drake wrote:
>>XSS can steal *anything* that the browser can access - [...]

BH> XSS exploits are based on client-side scripting. For such a script to
BH> access some information, the browser has to provide an API to access
BH> the information. If the browser does not provide an API to access it,
BH> the information cannot be stolen by a script. So what you are saying
BH> is that browsers provide APIs that allow unrestricted read access on
BH> your computer to any web site you visit without consulting the user.

BH> My browser has read access to, among many other things, virtually all
BH> files on my computer. If, as you say, the browser makes all my files
BH> available to any web site I visit, without ever asking or telling me,
BH> why would I use the browser to an extent where I worry about usable
BH> authentication? I would not use such software at all!
Received on Monday, 17 July 2006 06:26:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT