Re: WebAppSec re-charter status

* David Ross wrote:
>So how exactly would this all play out if EPR were to get implemented in
>browsers?  Brian Smith suggested that the concern was all about
>*unintended* abuse of EPR.  So to me it sounds like the scenario is just
>that people become overzealous with implementing EPR on their sites in
>order to mitigate XSS / XSRF.  To the extent that large and very public
>facing sites adopt it (as opposed to the intended "control panel" type
>scenarios).  Is this the worry?

If I "implement EPR" to force visitors to go through `/` on my site so
they load the right `<frameset>` or watch my Flash intro or whatever, I
am just being "overzealous" in "mitigating XSS / XSRF"?
Björn Höhrmann · ·
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 ·
 Available for hire in Berlin (early 2015)  · 

Received on Friday, 13 February 2015 00:59:31 UTC