Re: XSS out of scope from Mary Ellen Zurko on 2007-04-06 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 6 Apr 2007 10:11:23 -0400
To: "Shawn Duffy <sduffy" <sduffy@aol.net>
Cc: public-wsc-wg@w3.org,"Close, Tyler J." <tyler.close@hp.com>
Message-ID: <OF126C0A31.538CA1E3-ON852572B5.004DE28D-852572B5.004DF247@LocalDomain>

I think it has to be. But could you offer up a scenario of what we would 
do it if wasn't, just so I can be sure? (or maybe someone who's sure will 
answer). 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Shawn Duffy <sduffy@aol.net> 
Sent by: public-wsc-wg-request@w3.org
04/05/2007 10:44 AM

To
"Close, Tyler J." <tyler.close@hp.com>
cc
public-wsc-wg@w3.org
Subject
Re: XSS out of scope

Does this also include phishing that is only made possible via XSS, such
as a "trusted" site that has been injected with a fake login form via
XSS?  Is that also out of scope?  Just want to make sure I'm clear where
we're drawing the boundary...

Close, Tyler J. wrote:
> I've added a new Out of scope section to our Note to cover XSS attacks.
> See:
> 
> http://www.w3.org/2006/WSC/drafts/note/#XSS
> 
> This edit addresses ACTION-160
> 
> Tyler
>

Received on Friday, 6 April 2007 14:22:24 UTC