- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 2 Jan 2008 18:45:02 +0000
- To: Anne van Kesteren <annevk@opera.com>, Ian Hickson <ian@hixie.ch>
- CC: "public-appformats@w3.org" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Wed, 02 Jan 2008 19:26:03 +0100, Close, Tyler J. > <tyler.close@hp.com> > wrote: > > Sure, but the question is: "Who's responsibility is it?". > In my opinion, > > it is the server's responsibility to ensure a safe default for each > > resource. You seem to have the perspective that it's the client's > > responsibility. > > Most XSS problems have been due to lack of knowledge of the > authors. SQL > injection is a big one for instance. Also script injection > due to lack of > escaping on the server side. Trusting the authors to do the > right thing > does not seem responsible at all. Who said anything about trusting web content authors? Like I said, a mechanism like the one this WG has designed may well be deployed server-side. We just don't have to rely on the browser to understand the mechanism and enforce it. This same program logic can reside server-side. --Tyler
Received on Wednesday, 2 January 2008 19:40:24 UTC