RE: http client side security issues

• From: Hill, Brad <bhill@paypal-inc.com>
• Date: Mon, 27 Aug 2012 22:23:45 +0000
• To: Adam Barth <w3c@adambarth.com>
• CC: yuming huang <http.client.security@hotmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
• Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E221B9F@DEN-EXDDA-S12.corp.ebay.com>

Whoops, you are correct!  I was confused, since both go direct to my inbox and public-web-security sees so little traffic these last few months. 

I still think that the WASC mailing list is more likely to help Yuming out.

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Monday, August 27, 2012 3:21 PM
> To: Hill, Brad
> Cc: yuming huang; public-web-security@w3.org
> Subject: Re: http client side security issues
> 
> Oh, my understanding as that public-web-security had a somewhat broader
> focus than public-webappsec because it's for the Web Security Interest Group
> [1] rather than the Web Application Security Working Group [2].
> 
> Adam
> 
> [1] http://www.w3.org/2011/07/security-ig-charter.html
> [2] http://www.w3.org/2011/08/appsecwg-charter.html
> 
> 
> On Mon, Aug 27, 2012 at 3:07 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> > Thanks, Adam.
> >
> > Yuming,  this is list is for discussing the specifications under
> > development in the Web Application Security Working Group at the W3C.
> > (specifically, Content Security Policy, Cross Origin Resource Sharing
> > and anti-clickjacking work)
> >
> > I would second Adam's suggestion that OWASP is a good resource for
> general web security questions, as is the WASC, at http://webappsec.org/,
> and with a mailing list at:
> >
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
> > c.org
> >
> > Good luck,
> >
> > Brad Hill
> >
> >> -----Original Message-----
> >> From: Adam Barth [mailto:w3c@adambarth.com]
> >> Sent: Monday, August 27, 2012 11:00 AM
> >> To: yuming huang
> >> Cc: public-web-security@w3.org
> >> Subject: Re: http client side security issues
> >>
> >> You might not get the kinds of responses you're looking for from this
> >> mailing list.  You might find better information from OWASP:
> >>
> >> https://www.owasp.org/
> >>
> >> Adam
> >>
> >>
> >> On Fri, Aug 24, 2012 at 2:06 PM, yuming huang
> >> <http.client.security@hotmail.com> wrote:
> >> > Hi,
> >> >
> >> > The following questions are about current HTML standard (HTML 4.0,
> >> > 4.1, 5.0?), as well as actual implementations (Internet Explorer,
> >> > Firefox, Chrome).
> >> >
> >> > 1. Is silent download other than the HTML file itself allowed?  How does
> it
> >> > work if possible?   How to prevent it from happening?
> >> > For example(IE), a user types in a url and hits enter key. IE
> >> > renders a web page (user sees it) and downloads a binary file
> >> > silently to user's PC (user does not know).  Later the binary gets to run.
> >> >
> >> > 2. What are the means for web server to collect infomation from a
> >> > web client user?  Form, Cookie, browser signature...
> >> >
> >> >
> >> > I searched http://lists.w3.org/Archives/Public/public-web-security/
> >> > but found no result.
> >> >
> >> >
> >> > Thanks!
> >> >
> >> >
> >

Received on Monday, 27 August 2012 22:24:19 UTC