W3C home > Mailing lists > Public > public-html-testsuite@w3.org > November 2010

Test Suite and XSS

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 08 Nov 2010 17:00:32 +0100
Cc: "Jonas Sicking" <jonas@sicking.cc>, "Dominique Hazael-Massieux" <dom@w3.org>
To: public-html-testsuite@w3.org
Message-ID: <op.vluz25a964w2qv@anne-van-kesterens-macbook-pro.local>
While we had the meeting everyone in the room sort of agreed that the  
safest solution would be to host the test suite on a domain that could not  
be made same-origin with w3.org using document.domain. And one that would  
not share cookies either. Dominique suggested that we could instead try to  
avoid such holes by not putting files that allow for XSS on test.w3.org.  
When I relayed this nobody thought that would be a workable solution.

It seems to me the most pragmatic solution here is to use a separate  
domain. This avoids the hassle of having to carefully review each file for  
XSS exploits and avoids tests having to be rewritten. It also removes the  
possibility for an exploit this way which seems like a major win.

If people could reiterate their own points from the meeting that might  
help.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 8 November 2010 16:01:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:49:37 UTC