- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Sun, 28 Sep 2008 11:31:59 +0200 (CEST)
On Sat, 27 Sep 2008, Jim Jewett wrote: > Yet opt-in proposals expect content authors to immediately add security > checks everywhere, which is considerably less realistic than having a > handful of webpages adjust their behavior, if we indeed break it (which I > don't think would be likely with the design). It feels better, but I am > inclined to think it is considerably less beneficial. > > Why? Most sites won't add the checks because they don't need them. Static pages do not (but would likely see no ill effects, too). Almost all web applications, where the user has a distinct authenticated context, do. Given that something like 90%+ of the list of top 100, 500, or whatever websites visited by typical users belongs to the latter category (well, looking at public stats at least), easily extrapolated to tens of millions of other less successful but still used resources (web forums, shops, chats, customer portals, etc), that all these are almost always significantly more complex that any static content (thousands of pages and hundreds of distinct features are not uncommon) - I indeed see a problem that is best addressed in an on-by-default mode. If you have faith that all these places can be patched up because we tell them so, and that these who want to would be able to do so consistently and reliably - look at the current history of XSRF and XSS vulnerabilities. /mz
Received on Sunday, 28 September 2008 02:31:59 UTC