W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Michal Zalewski <lcamtuf@dione.cc>
Date: Fri, 26 Sep 2008 18:43:41 +0200 (CEST)
Message-ID: <Pine.LNX.4.64.0809261838560.17847@dione.cc>
On Fri, 26 Sep 2008, Elliotte Harold wrote:

> Absolutely false. The media simply needs to be served from the same host 
> the blog itself is. This is how almost all the media in my blogs works 
> today. What little content comes from a 3rd party site in my blogs 
> (mostly from laziness) could easily be moved to the sites that serve the 
> blogs.

I kinda assumed this suggestion was tongue-in-cheek, but if not - banning 
cross-domain IFRAMEs to fix one flaw, without providing viable methods for 
sandboxing untrusted same-origin content, would leave web developers with 
no tools to deal with quite a few classes of major security issues.

/mz
Received on Friday, 26 September 2008 09:43:41 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC