W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: Re[4]: AW: AW: Secure Chrome

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 17 Jul 2006 11:29:15 +0200
To: Chris Drake <christopher@pobox.com>
Cc: public-usable-authentication@w3.org
Message-ID: <obimb252euend5g0u2sao1b5k71f0t9jks@hive.bjoern.hoehrmann.de>

* Chris Drake wrote:
>Might I respectfully suggest that if you don't understand XSS (and
>specifically, how web sites initiate authentication and how they
>function post-authentication), either learn about it, or ask people
>off-list - don't broadcast silliness and insulting misrepresentations
>like "If, as you say, the browser makes all my files available to any
>web site I visit" on public forums.

So when you say "XSS can steal anything" and "XSS can steal *anything*
that the browser can access", you don't mean "XSS can steal anything".
What is it, then, what you mean, and why do you keep saying something
completely different?

If "anything" excludes local files, does it include passwords? How do
you steal, for example, HTTP Basic Auth credentials from a page that
depends on HTTP Basic Auth, allows you to inject any script you like,
but does not echo the credentials anywhere, using XSS? How about
Digest?

Or how about cookies? Do you have some script that can access HttpOnly
cookies in browsers that support this type of cookie even if the server
never sends the cookie to the client (the user had the cookie set prior
to your attack and there is no need to provide it a second time)?

Do the methods you use to steal these bits of information exist by de-
sign and cannot be removed, disabled, or made dependent on user con-
firmation? As you seem to accept that local files are not made available
to arbitrary web sites, why would it not be possible to apply the same
protection to any other bit of information you would like to protect?
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 17 July 2006 09:36:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT