W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Feature Request Access Containers

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Jun 2011 16:55:15 -0700
Message-ID: <BANLkTi=D8hZic0142h_2eBbKOrTgkYMduw@mail.gmail.com>
To: Robin Berjon <robin@berjon.com>
Cc: public-web-security@w3.org
I don't think there's much hope for this direction.  Even without any
additional privileges, an attacker can often cause lots of harm by
exploiting an XSS vulnerability.

Adam


On Tue, May 31, 2011 at 6:19 AM, Robin Berjon <robin@berjon.com> wrote:
> Hi all,
>
> this is a topic that has been touched upon in a few other places previously, but it's been strongly suggested to me that this here list would be a good place to discuss it perhaps more thoroughly.
>
> Basically, I've been mulling over a way of doing bulk feature requests (as in the existing Permissions draft: http://dev.w3.org/2009/dap/perms/FeaturePermissions.html) but coupled with a way to provide XSS mitigation.
>
> I've put together a very rough draft of it. It could use a decent amount of tightening up and some more regular terminology, but I think that the idea ought to be outlined well enough that it's understandable. You can read it at:
>
>   http://w3c-test.org/dap/proposals/request-feature/
>
> This is just a personal proposal and isn't endorsed by any group or company. Feedback much welcome!
>
> --
> Robin Berjon - http://berjon.com/ - @robinberjon
>
>
>
>
Received on Thursday, 2 June 2011 23:56:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 June 2011 23:56:15 GMT