W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: XSS out of scope

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 6 Apr 2007 10:11:23 -0400
Cc: public-wsc-wg@w3.org,"Close, Tyler J." <tyler.close@hp.com>
Message-ID: <OF126C0A31.538CA1E3-ON852572B5.004DE28D-852572B5.004DF247@LocalDomain>
To: "Shawn Duffy <sduffy" <sduffy@aol.net>
I think it has to be. But could you offer up a scenario of what we would 
do it if wasn't, just so I can be sure? (or maybe someone who's sure will 
answer). 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Shawn Duffy <sduffy@aol.net> 
Sent by: public-wsc-wg-request@w3.org
04/05/2007 10:44 AM

To
"Close, Tyler J." <tyler.close@hp.com>
cc
public-wsc-wg@w3.org
Subject
Re: XSS out of scope







Does this also include phishing that is only made possible via XSS, such
as a "trusted" site that has been injected with a fake login form via
XSS?  Is that also out of scope?  Just want to make sure I'm clear where
we're drawing the boundary...


Close, Tyler J. wrote:
> I've added a new Out of scope section to our Note to cover XSS attacks.
> See:
> 
> http://www.w3.org/2006/WSC/drafts/note/#XSS
> 
> This edit addresses ACTION-160
> 
> Tyler
> 
Received on Friday, 6 April 2007 14:22:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT