RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests] from Ian Hickson on 2008-04-03 (public-webapi@w3.org from April 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Apr 2008 01:14:42 +0000 (UTC)
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0804030112200.24456@hixie.dreamhostps.com>

On Thu, 3 Apr 2008, Close, Tyler J. wrote:
> Maciej Stachowiak wrote:
> >
> > Can you please post these examples again, or pointers to where you 
> > posted them? I believe they have not been previously seen on the Web 
> > API list.
> 
> I've written several messages to the appformats mailing list. I suggest 
> reading all of them. The most detailed description of the attacks are in 
> the message at:
> 
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B6507@G6W0269.americas.hpqcorp.net
> 
> with a correction at:
> 
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net

As noted here:

   http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0138.html

...these are not problems with the Access Control and XXX specs. XDR is 
just as susceptible to these problems.

The above e-mail also describes ways to mitigate these problems.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 April 2008 01:16:15 UTC