Re: Comments on: Access Control for Cross-site Requests

On Wed, 02 Jan 2008 19:26:03 +0100, Close, Tyler J. <>  
> Sure, but the question is: "Who's responsibility is it?". In my opinion,  
> it is the server's responsibility to ensure a safe default for each  
> resource. You seem to have the perspective that it's the client's  
> responsibility.

Most XSS problems have been due to lack of knowledge of the authors. SQL  
injection is a big one for instance. Also script injection due to lack of  
escaping on the server side. Trusting the authors to do the right thing  
does not seem responsible at all.

Anne van Kesteren

Received on Wednesday, 2 January 2008 18:37:02 UTC