W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2017

Re: Partial SOP Bypass via W3 Standards

From: John Wilander <wilander@apple.com>
Date: Mon, 11 Sep 2017 10:50:13 -0700
Message-id: <CFC659C4-5F40-4FB4-9FD3-125003A0B349@apple.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
To: David Dworken <david@daviddworken.com>
For Apple, you can report security and privacy issues over email to product-security@apple.com <mailto:product-security@apple.com> and use PGP to protect the information in-flight: https://support.apple.com/en-us/HT201214 <https://support.apple.com/en-us/HT201214>.

For WebKit specifically, you can file a security bug here: https://bugs.webkit.org/enter_bug.cgi?product=Security <https://bugs.webkit.org/enter_bug.cgi?product=Security>

   Regards, John

> On Sep 11, 2017, at 10:34 AM, Angelo Liao <huliao@microsoft.com> wrote:
> For security bugs on Edge/IE, you can email the secure@microsoft.com <mailto:secure@microsoft.com> alias and we will respond accordingly. You can also submit bugs through https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/ <https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/>.  
>   <>
> From: Mike West [mailto:mkwst@google.com] 
> Sent: Monday, September 11, 2017 7:24 AM
> To: David Dworken <david@daviddworken.com>; public-webappsec@w3.org
> Subject: Re: Partial SOP Bypass via W3 Standards
> I'd suggest filing bugs with vendors. For Chrome, that's https://bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug <https://bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug>. We can coordinate cross-vendor discussions privately if necessary.
> On Mon 11. Sep 2017 at 16:07, David Dworken <david@daviddworken.com <mailto:david@daviddworken.com>> wrote:
> Hi,
> I have discovered a partial SOP bypass that works in every browser due to a fundamental flaw in the W3 standards (for the time being, reach out to me individually if you need to see the proof of concept). Is this the correct place to open a discussion on how to fix or mitigate this flaw? Or is there a limited subset of trusted W3 members I should include in the discussion? Or should I send in bug reports to individual browser vendors? 
> Thanks,
> David Dworken
> -- 
> -mike
Received on Monday, 11 September 2017 17:50:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC