Re: Partial SOP Bypass via W3 Standards from Mike West on 2017-09-11 (public-webappsec@w3.org from September 2017)

From: Mike West <mkwst@google.com>
Date: Mon, 11 Sep 2017 14:24:13 +0000
To: David Dworken <david@daviddworken.com>, public-webappsec@w3.org
Message-ID: <CAKXHy=eP_hJb_t3nVzma-t=4_dDH=3V+AwLvH2cs2N+SrtnCfg@mail.gmail.com>

I'd suggest filing bugs with vendors. For Chrome, that's
https://bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug.
We can coordinate cross-vendor discussions privately if necessary.

On Mon 11. Sep 2017 at 16:07, David Dworken <david@daviddworken.com> wrote:

> Hi,
>
> I have discovered a partial SOP bypass that works in every browser due to
> a fundamental flaw in the W3 standards (for the time being, reach out to me
> individually if you need to see the proof of concept). Is this the correct
> place to open a discussion on how to fix or mitigate this flaw? Or is there
> a limited subset of trusted W3 members I should include in the discussion?
> Or should I send in bug reports to individual browser vendors?
>
> Thanks,
> David Dworken
>
-- 
-mike

Received on Monday, 11 September 2017 14:24:47 UTC