W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2005

[whatwg] Updating Location Bar for RPC Type Apps

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 22 Apr 2005 23:51:04 +0000 (UTC)
Message-ID: <Pine.LNX.4.61.0504222335390.1260@dhalsim.dreamhost.com>
On Fri, 22 Apr 2005, Brad Neuberg wrote:
> Do you have an idea of what the threat model might be?  I.e. who is 
> attacking, why are they attacking, and how will they usually be 
> attacking.

There are a number of attack vectors but the main ones are letting scripts 
access data from other hosts or from the computer itself, letting scripts 
affect the user's experience with the computer and the internet outside 
the site in question, and making it easier for sites to spoof other sites 
or system services in order to fradulently obtain personal information.

So for example ways to disable the "back" button, or ways to override the 
user's window manager, and ways for sites to make it appear that they are 
other sites would be features that should never be allowed in the spec.

(<script src="">, <img src="">, and window.open() are examples of features 
that currently exist in HTML browsers but suffer from these problems to 
one extent or another.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 22 April 2005 16:51:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:40 UTC