- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Jun 2011 16:55:15 -0700
- To: Robin Berjon <robin@berjon.com>
- Cc: public-web-security@w3.org
I don't think there's much hope for this direction. Even without any additional privileges, an attacker can often cause lots of harm by exploiting an XSS vulnerability. Adam On Tue, May 31, 2011 at 6:19 AM, Robin Berjon <robin@berjon.com> wrote: > Hi all, > > this is a topic that has been touched upon in a few other places previously, but it's been strongly suggested to me that this here list would be a good place to discuss it perhaps more thoroughly. > > Basically, I've been mulling over a way of doing bulk feature requests (as in the existing Permissions draft: http://dev.w3.org/2009/dap/perms/FeaturePermissions.html) but coupled with a way to provide XSS mitigation. > > I've put together a very rough draft of it. It could use a decent amount of tightening up and some more regular terminology, but I think that the idea ought to be outlined well enough that it's understandable. You can read it at: > > http://w3c-test.org/dap/proposals/request-feature/ > > This is just a personal proposal and isn't endorsed by any group or company. Feedback much welcome! > > -- > Robin Berjon - http://berjon.com/ - @robinberjon > > > >
Received on Thursday, 2 June 2011 23:56:15 UTC