Re: Partial SOP Bypass via W3 Standards from Daniel Veditz on 2017-09-11 (public-webappsec@w3.org from September 2017)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 11 Sep 2017 11:11:54 -0700
To: David Dworken <david@daviddworken.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCBekpvHLybTzVjOGr2e1yVGQBLoy3HYr3FZssTVLV95_g@mail.gmail.com>

For Firefox please file a security bug at https://bugzilla.mozilla.org/, or
email us at security@mozilla.org and use our PGP key to encrypt the
contents https://www.mozilla.org/en-US/security/#pgpkey

When you file the bug please make sure to use the "this is a security bug"
checkbox.

-Dan Veditz

On Sun, Sep 10, 2017 at 9:25 AM, David Dworken <david@daviddworken.com>
wrote:

> Hi,
>
> I have discovered a partial SOP bypass that works in every browser due to
> a fundamental flaw in the W3 standards (for the time being, reach out to me
> individually if you need to see the proof of concept). Is this the correct
> place to open a discussion on how to fix or mitigate this flaw? Or is there
> a limited subset of trusted W3 members I should include in the discussion?
> Or should I send in bug reports to individual browser vendors?
>
> Thanks,
> David Dworken
>

Received on Monday, 11 September 2017 18:12:37 UTC