W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Re: Comments on the "new" 2518 -- XSS

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Mar 2006 09:45:42 +0100
Message-ID: <44210EB6.4080400@gmx.de>
To: Jason Crawford <nn683849@smallcue.com>
CC: w3c-dist-auth@w3.org

Jason Crawford wrote:
> 
> On Tuesday, 03/21/2006 at 03:32 CET, Julian Reschke 
> <nnjulian.reschke___at___gmx.de@smallcue.com> wrote:
>  > Hi,
>  >
>  > I think that Kevin is correct that this is a new type of attack not
>  > discussed before, although I think it's misleading to call it an XSS 
> attack.
>  >
>  > I have opened a BugZilla issue for it
>  > (<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237>). Once we
>  > have consensus that this is a real problem, we need to discuss what to
>  > say in the Security Considerations section.
> 
>  From viruses, to spam, to copyrighted art,
> to offensive material, this is a pervasive issue that
> people should already be aware of.
> I don't think WebDAV adds much new here and I don't think it's
> necesary for the webdav spec to take responsibility for warning
> people about letting people or zombies put inappropriate content
> in public places.  

Jason,

the big difference here is that the vulnerability is with HTML content 
even in the absence of any browser bug. I really think this is different 
from the other stuff.

Best regards, Julian
Received on Wednesday, 22 March 2006 08:47:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:14 GMT