RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

On Thu, 3 Apr 2008, Close, Tyler J. wrote:
> Maciej Stachowiak wrote:
> >
> > Can you please post these examples again, or pointers to where you 
> > posted them? I believe they have not been previously seen on the Web 
> > API list.
> 
> I've written several messages to the appformats mailing list. I suggest 
> reading all of them. The most detailed description of the attacks are in 
> the message at:
> 
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B6507@G6W0269.americas.hpqcorp.net
> 
> with a correction at:
> 
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net

As noted here:

   http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0138.html

...these are not problems with the Access Control and XXX specs. XDR is 
just as susceptible to these problems.

The above e-mail also describes ways to mitigate these problems.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 April 2008 01:16:16 UTC