W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: XSS out of scope

From: Shawn Duffy <sduffy@aol.net>
Date: Fri, 06 Apr 2007 13:00:31 -0400
Message-ID: <46167CAF.1070509@aol.net>
To: beltzner@mozilla.com
CC: Dan Schutzer <dan.schutzer@fstc.org>, public-wsc-wg-request@w3.org, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org, "'Close, Tyler J.'" <tyler.close@hp.com>

I'm not sure we're saying the browser should _block_ anything, but
notifying the user that something looks amiss may be in scope.  In my
eyes, this isn't really about including XSS, but is more about
acknowledging that XSS is an avenue for modifying trusted content and,
thus, impacts the security context for the user.

So, using XSS to steal cookies, hijack sessions, etc. would not be
included but using XSS to modify site content in a phishing attack,
perhaps, should be.

My $.02

Mike Beltzner wrote:
> We need to get this straightened out. 
> 
> Johnathan asked if we were unfairly limiting scope to visible-UI-only solutions, meaning we couldn't recommend that the browser should silently make choices that increase a user's security.
> 
> Stuart points out that XSS should be in scope for similar reasons. 
> 
> The question really becomes: is the goal of this WG to only generate recommendations on how to *display* security context to users, or is it to also recommend what type of content should be blocked from being displayed. The latter is, IMO, a wider set of recommendations, since it starts talking about types of content that can/should be untrusted. 
> 
> cheers,
> mike 
> 
>   
> 
> -----Original Message-----
> From: "Dan Schutzer" <dan.schutzer@fstc.org>
> Date: Fri, 6 Apr 2007 10:39:12 
> To:"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>,"'Shawn Duffy <sduffy'" <sduffy@aol.net>
> Cc:<public-wsc-wg@w3.org>,"'Close, Tyler J.'" <tyler.close@hp.com>
> Subject: RE: XSS out of scope
> 
> I donít think this should be out of scope, some of our solutions address how to mitigate this. And some of our suggestions for strengthening the Browser also help in this area.
>  
>  
>  
>  
>  
> ----------------
>  
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
>  Sent: Friday, April 06, 2007 10:11 AM
>  To: Shawn Duffy <sduffy
>  Cc: public-wsc-wg@w3.org; Close, Tyler J.
>  Subject: Re: XSS out of scope
>  
>  
>  
> 
>  I think it has to be. But could you offer up a scenario of what we would do it if wasn't, just so I can be sure? (or maybe someone who's sure will answer). 
>  
>            Mez
>  
>  Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
>  Lotus/WPLC Security Strategy and Patent Innovation Architect
>  
>  
>  
>  
>  
> Shawn Duffy <sduffy@aol.net>
>  Sent by: public-wsc-wg-request@w3.org
>  
> 04/05/2007 10:44 AM
>  
>  
> To
>  
> "Close, Tyler J." <tyler.close@hp.com>
>  
>  
> cc
>  
> public-wsc-wg@w3.org
>  
>  
> Subject
>  
> Re: XSS out of scope
>  
>  
>  
>  
>  
>  
>  
>  
> 
>  
> 
>  
>  
>  
>  Does this also include phishing that is only made possible via XSS, such
>  as a "trusted" site that has been injected with a fake login form via
>  XSS?  Is that also out of scope?  Just want to make sure I'm clear where
>  we're drawing the boundary...
>  
>  
>  Close, Tyler J. wrote:
>  > I've added a new Out of scope section to our Note to cover XSS attacks.
>  > See:
>  > 
>  > http://www.w3.org/2006/WSC/drafts/note/#XSS
>  > 
>  > This edit addresses ACTION-160
>  > 
>  > Tyler
>  > 
>  
>  
>  
>  

-- 
shawn duffy - sduffy at aol dot net
senior technical security engineer | aol it security
703.265.8273 | AIM: ShawnDuffy1
Received on Friday, 6 April 2007 17:01:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT