- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Sun, 28 Sep 2008 11:36:54 +0200 (CEST)
On Sun, 28 Sep 2008, Michal Zalewski wrote: > If you have faith that all these places can be patched up because we > tell them so, and that these who want to would be able to do so > consistently and reliably - look at the current history of XSRF and XSS > vulnerabilities. ...and consequently, the worst-case scenario for breaking a page that did not need the protection to begin with is that the owner easily opts out, in a manner that is trivial to verify across his resources; on the other hand, the worst-case scenario for leaving one out of thousands resources on Facebook, MySpace, eBay, or my wife's cat fanciers' forum, accidentally not protected by an opt-in mechanism in some obscure code path... is more or less widespread misery that is extremely hard and sometimes expensive to clean up. /mz
Received on Sunday, 28 September 2008 02:36:54 UTC