W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Michal Zalewski <lcamtuf@dione.cc>
Date: Sun, 28 Sep 2008 11:36:54 +0200 (CEST)
Message-ID: <Pine.LNX.4.64.0809281133450.10659@dione.cc>
On Sun, 28 Sep 2008, Michal Zalewski wrote:

> If you have faith that all these places can be patched up because we 
> tell them so, and that these who want to would be able to do so 
> consistently and reliably - look at the current history of XSRF and XSS 
> vulnerabilities.

...and consequently, the worst-case scenario for breaking a page that did 
not need the protection to begin with is that the owner easily opts out, 
in a manner that is trivial to verify across his resources; on the other 
hand, the worst-case scenario for leaving one out of thousands resources 
on Facebook, MySpace, eBay, or my wife's cat fanciers' forum, accidentally 
not protected by an opt-in mechanism in some obscure code path... is more 
or less widespread misery that is extremely hard and sometimes expensive 
to clean up.

/mz
Received on Sunday, 28 September 2008 02:36:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC