W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Feature Request Access Containers

From: Robin Berjon <robin@berjon.com>
Date: Thu, 9 Jun 2011 16:26:15 +0200
Cc: public-web-security@w3.org
Message-Id: <E7E1D45C-715A-4497-AA54-C8116DDB1A3C@berjon.com>
To: Adam Barth <w3c@adambarth.com>
Hi Adam,

On Jun 3, 2011, at 01:55 , Adam Barth wrote:
> I don't think there's much hope for this direction.  Even without any
> additional privileges, an attacker can often cause lots of harm by
> exploiting an XSS vulnerability.

Naturally, but I'm not sure I see why this means that we should throw our hands up and fail to protect additional privileges appropriately. Just because the barbarians made it all the way to our doors doesn't mean we need let them drink our ale dry, make merry sport with our more attractive daughters, and play CÚline Dion karaoke on the village square. Given the rather minimalist approach, which piggybacks a feature that's already been deemed desirable (bundling feature requests) the price to pay for the extra safety is low.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon
Received on Thursday, 9 June 2011 14:26:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC