Re: [webauthn] Code Injection vulnerability from client side (#1965) from Thomas Duboucher via GitHub on 2023-09-16 (public-webauthn@w3.org from September 2023)

From: Thomas Duboucher via GitHub <sysbot+gh@w3.org>
Date: Sat, 16 Sep 2023 18:54:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1722293375-1694890480-sysbot+gh@w3.org>

If the user is already tricked into self-XSS, the attacker could just directly extract the session data? At this point, hardening WebAuthn against self-XSS is a plaster on a wooden leg, no?

-- 
GitHub Notification of comment by serianox
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722293375 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 16 September 2023 18:54:44 UTC