W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: XSS out of scope

From: Mike Beltzner <beltzner@mozilla.com>
Date: Fri, 6 Apr 2007 16:53:02 +0000
Message-ID: <857500334-1175878407-cardhu_blackberry.rim.net-1740947504-@bwe023-cell00.bisx.prod.on.blackberry>
To: "Dan Schutzer" <dan.schutzer@fstc.org>, public-wsc-wg-request@w3.org, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Shawn Duffy <sduffy'" <sduffy@aol.net>
Cc: public-wsc-wg@w3.org, "'Close, Tyler J.'" <tyler.close@hp.com>
We need to get this straightened out. 

Johnathan asked if we were unfairly limiting scope to visible-UI-only solutions, meaning we couldn't recommend that the browser should silently make choices that increase a user's security.

Stuart points out that XSS should be in scope for similar reasons. 

The question really becomes: is the goal of this WG to only generate recommendations on how to *display* security context to users, or is it to also recommend what type of content should be blocked from being displayed. The latter is, IMO, a wider set of recommendations, since it starts talking about types of content that can/should be untrusted. 

cheers,
mike 

  

-----Original Message-----
From: "Dan Schutzer" <dan.schutzer@fstc.org>
Date: Fri, 6 Apr 2007 10:39:12 
To:"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>,"'Shawn Duffy <sduffy'" <sduffy@aol.net>
Cc:<public-wsc-wg@w3.org>,"'Close, Tyler J.'" <tyler.close@hp.com>
Subject: RE: XSS out of scope

I donít think this should be out of scope, some of our solutions address how to mitigate this. And some of our suggestions for strengthening the Browser also help in this area.
 
†
 
 
 
----------------
 
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
 Sent: Friday, April 06, 2007 10:11 AM
 To: Shawn Duffy <sduffy
 Cc: public-wsc-wg@w3.org; Close, Tyler J.
 Subject: Re: XSS out of scope
 
†
 

 I think it has to be. But could you offer up a scenario of what we would do it if wasn't, just so I can be sure? (or maybe someone who's sure will answer). 
 
 † † † † † Mez
 
 Mary Ellen Zurko, STSM, IBM Lotus CTO Office † † † (t/l 333-6389)
 Lotus/WPLC Security Strategy and Patent Innovation Architect
 
 
 
 
 
Shawn Duffy <sduffy@aol.net>
 Sent by: public-wsc-wg-request@w3.org
 
04/05/2007 10:44 AM
 
 
To
 
"Close, Tyler J." <tyler.close@hp.com>
 
 
cc
 
public-wsc-wg@w3.org
 
 
Subject
 
Re: XSS out of scope
 
†
 
 
†
 
†
 

 

 
 
 
 Does this also include phishing that is only made possible via XSS, such
 as a "trusted" site that has been injected with a fake login form via
 XSS? †Is that also out of scope? †Just want to make sure I'm clear where
 we're drawing the boundary...
 
 
 Close, Tyler J. wrote:
 > I've added a new Out of scope section to our Note to cover XSS attacks.
 > See:
 > 
 > http://www.w3.org/2006/WSC/drafts/note/#XSS
 > 
 > This edit addresses ACTION-160
 > 
 > Tyler
 > 
 
 
 
 
Received on Friday, 6 April 2007 16:53:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT