W3C home > Mailing lists > Public > public-html-testsuite@w3.org > November 2010

Re: Test Suite and XSS

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Mon, 08 Nov 2010 17:02:56 +0100
To: Anne van Kesteren <annevk@opera.com>
Cc: public-html-testsuite@w3.org, Jonas Sicking <jonas@sicking.cc>
Message-ID: <1289232176.8986.74.camel@altostratustier>
Le lundi 08 novembre 2010 à 17:00 +0100, Anne van Kesteren a écrit :
> While we had the meeting everyone in the room sort of agreed that the  
> safest solution would be to host the test suite on a domain that could not  
> be made same-origin with w3.org using document.domain. And one that would  
> not share cookies either. Dominique suggested that we could instead try to  
> avoid such holes by not putting files that allow for XSS on test.w3.org.  
> When I relayed this nobody thought that would be a workable solution.

(FWIW, I'm making progress internally on setting up a separate domain
based on Anne's feedback on this)

> It seems to me the most pragmatic solution here is to use a separate  
> domain. This avoids the hassle of having to carefully review each file for  
> XSS exploits and avoids tests having to be rewritten. It also removes the  
> possibility for an exploit this way which seems like a major win.
> 
> If people could reiterate their own points from the meeting that might  
> help.

I'm particularly interested on more details as to what are the XSS holes
that look hard or impossible to plug.

Dom
Received on Monday, 8 November 2010 16:03:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:49:37 UTC