- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 17 Jul 2006 11:29:15 +0200
- To: Chris Drake <christopher@pobox.com>
- Cc: public-usable-authentication@w3.org
* Chris Drake wrote: >Might I respectfully suggest that if you don't understand XSS (and >specifically, how web sites initiate authentication and how they >function post-authentication), either learn about it, or ask people >off-list - don't broadcast silliness and insulting misrepresentations >like "If, as you say, the browser makes all my files available to any >web site I visit" on public forums. So when you say "XSS can steal anything" and "XSS can steal *anything* that the browser can access", you don't mean "XSS can steal anything". What is it, then, what you mean, and why do you keep saying something completely different? If "anything" excludes local files, does it include passwords? How do you steal, for example, HTTP Basic Auth credentials from a page that depends on HTTP Basic Auth, allows you to inject any script you like, but does not echo the credentials anywhere, using XSS? How about Digest? Or how about cookies? Do you have some script that can access HttpOnly cookies in browsers that support this type of cookie even if the server never sends the cookie to the client (the user had the cookie set prior to your attack and there is no need to provide it a second time)? Do the methods you use to steal these bits of information exist by de- sign and cannot be removed, disabled, or made dependent on user con- firmation? As you seem to accept that local files are not made available to arbitrary web sites, why would it not be possible to apply the same protection to any other bit of information you would like to protect? -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Monday, 17 July 2006 09:36:05 UTC