- From: James A. Donald <jamesd@echeque.com>
- Date: Sun, 16 Jul 2006 06:28:51 +1000
- To: public-usable-authentication@w3.org
--
Chris Drake wrote:
> XSS can steal anything - passwords, pw-manager
> credentials, and/or cookies - discussion of
> HTTPS/pw-manager/etc as some kind of solution to XSS
> simply makes no sense whatsoever.
Cross site scripting cannot steal something if the
script is not handling the information, but merely
triggering other software to obtain and send the data.
Of course, the correct solution to XSS is write one's
server site so that it is not vulnerable to XSS, rather
than to treat script as unreliable, but this turns out
to be surprisingly difficult, and one should ask why is
it so difficult - but doubtless if one did ask that, it
would be declared to be off topic.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
3Adk9thyd83QN9PhxcBGp7fLfpEaw7/6X7JnkkK4
4/QfHLfr2+wxvKji7+95nPW9yvySotFtntQO93OqP
Received on Saturday, 15 July 2006 20:29:00 UTC