- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 13 Feb 2015 01:59:02 +0100
- To: David Ross <drx@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
* David Ross wrote: >So how exactly would this all play out if EPR were to get implemented in >browsers? Brian Smith suggested that the concern was all about >*unintended* abuse of EPR. So to me it sounds like the scenario is just >that people become overzealous with implementing EPR on their sites in >order to mitigate XSS / XSRF. To the extent that large and very public >facing sites adopt it (as opposed to the intended "control panel" type >scenarios). Is this the worry? If I "implement EPR" to force visitors to go through `/` on my site so they load the right `<frameset>` or watch my Flash intro or whatever, I am just being "overzealous" in "mitigating XSS / XSRF"? -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Friday, 13 February 2015 00:59:31 UTC