W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 13 Feb 2015 01:59:02 +0100
To: David Ross <drx@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <75iqdat4blc5trd7rkaogaedi5m1aruh60@hive.bjoern.hoehrmann.de>
* David Ross wrote:
>So how exactly would this all play out if EPR were to get implemented in
>browsers?  Brian Smith suggested that the concern was all about
>*unintended* abuse of EPR.  So to me it sounds like the scenario is just
>that people become overzealous with implementing EPR on their sites in
>order to mitigate XSS / XSRF.  To the extent that large and very public
>facing sites adopt it (as opposed to the intended "control panel" type
>scenarios).  Is this the worry?

If I "implement EPR" to force visitors to go through `/` on my site so
they load the right `<frameset>` or watch my Flash intro or whatever, I
am just being "overzealous" in "mitigating XSS / XSRF"?
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Friday, 13 February 2015 00:59:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC