- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 16 Jul 2006 18:00:18 +0200
- To: Chris Drake <christopher@pobox.com>
- Cc: public-usable-authentication@w3.org
* Chris Drake wrote: >XSS can steal *anything* that the browser can access - [...] XSS exploits are based on client-side scripting. For such a script to access some information, the browser has to provide an API to access the information. If the browser does not provide an API to access it, the information cannot be stolen by a script. So what you are saying is that browsers provide APIs that allow unrestricted read access on your computer to any web site you visit without consulting the user. My browser has read access to, among many other things, virtually all files on my computer. If, as you say, the browser makes all my files available to any web site I visit, without ever asking or telling me, why would I use the browser to an extent where I worry about usable authentication? I would not use such software at all! -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 16 July 2006 16:00:31 UTC