W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: Call for Consensus: Stop work and transition 3 Working Drafts to Working Group Notes

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Jul 2016 09:49:27 +0200
Message-ID: <CADnb78i70Mpcz6=t=sNWFBsTnWjhA6614Lz+DprCvo+YHfbmeA@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 18, 2016 at 9:48 PM, David Ross <drx@google.com> wrote:
> How would you define URL manipulation?

Creating your own path/query/fragment.

> I think the goal of something like EPR should be not to block all paths to
> navigate into an app, but just to give apps an easy way to control the
> attack surface they expose.

Yeah, maybe if the browser acted as a shield for certain URLs that
could be enough. But yeah, deep linking is a concern. Providing cookie
isolation and request method/body isolation might be sufficient...

Received on Tuesday, 19 July 2016 07:49:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC