W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: Call for Consensus: Stop work and transition 3 Working Drafts to Working Group Notes

From: David Ross <drx@google.com>
Date: Mon, 18 Jul 2016 12:48:18 -0700
Message-ID: <CAMM+ux5Ou7aKheeo8Wab72EZhg90bDGcKQbsi9fsApxCOBd+rQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
How would you define URL manipulation?

I think the goal of something like EPR should be not to block all paths to
navigate into an app, but just to give apps an easy way to control the
attack surface they expose.

Dave

On Mon, Jul 18, 2016 at 9:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Jul 18, 2016 at 6:00 PM, David Ross <drx@google.com> wrote:
> > I also see potential for lower-level isolation technologies to evolve and
> > provide EPR-like functionality.
>
> An API for Container Tabs (which makes sense to me, mind you) doesn't
> really address the problem of URL manipulation. I guess we could
> couple it with not allowing request bodies, which relies on the user
> having visited the site at least once, but the attack vector we're
> concerned with is mostly sites the user has an established
> relationship with I suppose. Maybe that's good enough. Not breaking
> URLs is rather nice...
>
>
> --
> https://annevankesteren.nl/
>
Received on Monday, 18 July 2016 19:49:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC