RE: http client side security issues

From: Hill, Brad <bhill@paypal-inc.com> · Date: Mon, 27 Aug 2012 22:07:45 +0000

Thanks, Adam.

Yuming,  this is list is for discussing the specifications under development in the Web Application Security Working Group at the W3C.  (specifically, Content Security Policy, Cross Origin Resource Sharing and anti-clickjacking work)

I would second Adam's suggestion that OWASP is a good resource for general web security questions, as is the WASC, at http://webappsec.org/, and with a mailing list at:

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Good luck,

Brad Hill

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Monday, August 27, 2012 11:00 AM
> To: yuming huang
> Cc: public-web-security@w3.org
> Subject: Re: http client side security issues
> 
> You might not get the kinds of responses you're looking for from this mailing
> list.  You might find better information from OWASP:
> 
> https://www.owasp.org/
> 
> Adam
> 
> 
> On Fri, Aug 24, 2012 at 2:06 PM, yuming huang
> <http.client.security@hotmail.com> wrote:
> > Hi,
> >
> > The following questions are about current HTML standard (HTML 4.0,
> > 4.1, 5.0?), as well as actual implementations (Internet Explorer,
> > Firefox, Chrome).
> >
> > 1. Is silent download other than the HTML file itself allowed?  How does it
> > work if possible?   How to prevent it from happening?
> > For example(IE), a user types in a url and hits enter key. IE renders
> > a web page (user sees it) and downloads a binary file silently to
> > user's PC (user does not know).  Later the binary gets to run.
> >
> > 2. What are the means for web server to collect infomation from a web
> > client user?  Form, Cookie, browser signature...
> >
> >
> > I searched http://lists.w3.org/Archives/Public/public-web-security/
> > but found no result.
> >
> >
> > Thanks!
> >
> >