W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2017

Re: Partial SOP Bypass via W3 Standards

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 11 Sep 2017 11:11:54 -0700
Message-ID: <CADYDTCBekpvHLybTzVjOGr2e1yVGQBLoy3HYr3FZssTVLV95_g@mail.gmail.com>
To: David Dworken <david@daviddworken.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
For Firefox please file a security bug at https://bugzilla.mozilla.org/, or
email us at security@mozilla.org and use our PGP key to encrypt the
contents https://www.mozilla.org/en-US/security/#pgpkey

When you file the bug please make sure to use the "this is a security bug"
checkbox.

-Dan Veditz

On Sun, Sep 10, 2017 at 9:25 AM, David Dworken <david@daviddworken.com>
wrote:

> Hi,
>
> I have discovered a partial SOP bypass that works in every browser due to
> a fundamental flaw in the W3 standards (for the time being, reach out to me
> individually if you need to see the proof of concept). Is this the correct
> place to open a discussion on how to fix or mitigate this flaw? Or is there
> a limited subset of trusted W3 members I should include in the discussion?
> Or should I send in bug reports to individual browser vendors?
>
> Thanks,
> David Dworken
>
Received on Monday, 11 September 2017 18:12:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC