W3C home > Mailing lists > Public > public-web-security@w3.org > August 2012

Re: http client side security issues

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 27 Aug 2012 15:20:34 -0700
Message-ID: <CAJE5ia_u6E8--noAjL8HEqU38d69UnmQkGGg2cNLM8tAn58Qcg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: yuming huang <http.client.security@hotmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Oh, my understanding as that public-web-security had a somewhat
broader focus than public-webappsec because it's for the Web Security
Interest Group [1] rather than the Web Application Security Working
Group [2].

Adam

[1] http://www.w3.org/2011/07/security-ig-charter.html
[2] http://www.w3.org/2011/08/appsecwg-charter.html


On Mon, Aug 27, 2012 at 3:07 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> Thanks, Adam.
>
> Yuming,  this is list is for discussing the specifications under development in the Web Application Security Working Group at the W3C.  (specifically, Content Security Policy, Cross Origin Resource Sharing and anti-clickjacking work)
>
> I would second Adam's suggestion that OWASP is a good resource for general web security questions, as is the WASC, at http://webappsec.org/, and with a mailing list at:
>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
> Good luck,
>
> Brad Hill
>
>> -----Original Message-----
>> From: Adam Barth [mailto:w3c@adambarth.com]
>> Sent: Monday, August 27, 2012 11:00 AM
>> To: yuming huang
>> Cc: public-web-security@w3.org
>> Subject: Re: http client side security issues
>>
>> You might not get the kinds of responses you're looking for from this mailing
>> list.  You might find better information from OWASP:
>>
>> https://www.owasp.org/
>>
>> Adam
>>
>>
>> On Fri, Aug 24, 2012 at 2:06 PM, yuming huang
>> <http.client.security@hotmail.com> wrote:
>> > Hi,
>> >
>> > The following questions are about current HTML standard (HTML 4.0,
>> > 4.1, 5.0?), as well as actual implementations (Internet Explorer,
>> > Firefox, Chrome).
>> >
>> > 1. Is silent download other than the HTML file itself allowed?  How does it
>> > work if possible?   How to prevent it from happening?
>> > For example(IE), a user types in a url and hits enter key. IE renders
>> > a web page (user sees it) and downloads a binary file silently to
>> > user's PC (user does not know).  Later the binary gets to run.
>> >
>> > 2. What are the means for web server to collect infomation from a web
>> > client user?  Form, Cookie, browser signature...
>> >
>> >
>> > I searched http://lists.w3.org/Archives/Public/public-web-security/
>> > but found no result.
>> >
>> >
>> > Thanks!
>> >
>> >
>
Received on Monday, 27 August 2012 22:21:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 August 2012 22:21:34 GMT