- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 11 Sep 2013 11:25:56 +0100
- To: Austin William Wright <aaa@bzfx.net>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Sep 10, 2013 at 11:19 PM, Austin William Wright <aaa@bzfx.net> wrote: > On Fri, Sep 6, 2013 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> It's not a security hole. > > It may not be in the scope of CORS or WebAppSec to fix for most cases, but I > nonetheless do describe a security hole, that potentially sensitive > information may be leaked. We already identified some: These seem unrelated to CORS. > Overall, the course of action here would be to raise an issue with the > appropriate WG. The things you "identified" cannot be fixed as content relies on them not being fixed. The way we solve them is by providing sites additional hooks. >> The HTML >> Standard defines the security model of the web, irrespective of what >> scope or charters have to say about it. As for the HTML WG, it's >> mostly in the business of copy-and-pasting the HTML Standard. > > Since when? The former started in 2004, the latter in 2007, or a bit later depending on how you view things. > Are these two notes something that can be added? How does http://www.w3.org/TR/cors/#security not cover this? -- http://annevankesteren.nl/
Received on Wednesday, 11 September 2013 10:26:23 UTC