Test Suite and XSS

While we had the meeting everyone in the room sort of agreed that the  
safest solution would be to host the test suite on a domain that could not  
be made same-origin with w3.org using document.domain. And one that would  
not share cookies either. Dominique suggested that we could instead try to  
avoid such holes by not putting files that allow for XSS on test.w3.org.  
When I relayed this nobody thought that would be a workable solution.

It seems to me the most pragmatic solution here is to use a separate  
domain. This avoids the hassle of having to carefully review each file for  
XSS exploits and avoids tests having to be rewritten. It also removes the  
possibility for an exploit this way which seems like a major win.

If people could reiterate their own points from the meeting that might  

Anne van Kesteren

Received on Monday, 8 November 2010 16:01:09 UTC