- From: Chris Drake <christopher@pobox.com>
- Date: Mon, 17 Jul 2006 16:25:53 +1000
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: public-usable-authentication@w3.org
Hi Bjoern, Might I respectfully suggest that if you don't understand XSS (and specifically, how web sites initiate authentication and how they function post-authentication), either learn about it, or ask people off-list - don't broadcast silliness and insulting misrepresentations like "If, as you say, the browser makes all my files available to any web site I visit" on public forums. Kind Regards, Chris Drake Monday, July 17, 2006, 2:00:18 AM, you wrote: BH> * Chris Drake wrote: >>XSS can steal *anything* that the browser can access - [...] BH> XSS exploits are based on client-side scripting. For such a script to BH> access some information, the browser has to provide an API to access BH> the information. If the browser does not provide an API to access it, BH> the information cannot be stolen by a script. So what you are saying BH> is that browsers provide APIs that allow unrestricted read access on BH> your computer to any web site you visit without consulting the user. BH> My browser has read access to, among many other things, virtually all BH> files on my computer. If, as you say, the browser makes all my files BH> available to any web site I visit, without ever asking or telling me, BH> why would I use the browser to an extent where I worry about usable BH> authentication? I would not use such software at all!
Received on Monday, 17 July 2006 06:26:07 UTC