- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Mon, 08 Nov 2010 17:02:56 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-html-testsuite@w3.org, Jonas Sicking <jonas@sicking.cc>
Le lundi 08 novembre 2010 à 17:00 +0100, Anne van Kesteren a écrit : > While we had the meeting everyone in the room sort of agreed that the > safest solution would be to host the test suite on a domain that could not > be made same-origin with w3.org using document.domain. And one that would > not share cookies either. Dominique suggested that we could instead try to > avoid such holes by not putting files that allow for XSS on test.w3.org. > When I relayed this nobody thought that would be a workable solution. (FWIW, I'm making progress internally on setting up a separate domain based on Anne's feedback on this) > It seems to me the most pragmatic solution here is to use a separate > domain. This avoids the hassle of having to carefully review each file for > XSS exploits and avoids tests having to be rewritten. It also removes the > possibility for an exploit this way which seems like a major win. > > If people could reiterate their own points from the meeting that might > help. I'm particularly interested on more details as to what are the XSS holes that look hard or impossible to plug. Dom
Received on Monday, 8 November 2010 16:03:09 UTC